From Fedora Project Wiki
No edit summary |
No edit summary |
||
| Line 23: | Line 23: | ||
# ipa idrange-find | # ipa idrange-find | ||
--------------- | --------------- | ||
1 range matched | 1 range matched | ||
| Line 37: | Line 38: | ||
# ipa trust-find | # ipa trust-find | ||
---------------- | ---------------- | ||
0 trusts matched | 0 trusts matched | ||
| Line 43: | Line 45: | ||
Number of entries returned 0 | Number of entries returned 0 | ||
---------------------------- | ---------------------------- | ||
Make sure that the time with the AD is synchronized. | |||
# ntpdate advm.idm.lab.eng.brq.redhat.com | |||
Add the trust. This can take a while as the FreeIPA is querying AD DC | |||
for UNIX information by default. | |||
# ipa trust-add --type=ad $AD_DOMAIN --admin Administrator --password | # ipa trust-add --type=ad $AD_DOMAIN --admin Administrator --password | ||
Active directory domain administrator's password: | Active directory domain administrator's password: | ||
------------------------------------------------------------------------ | ------------------------------------------------------------------------ | ||
| Line 69: | Line 79: | ||
# ipa idrange-find | # ipa idrange-find | ||
---------------- | ---------------- | ||
2 ranges matched | 2 ranges matched | ||
| Line 78: | Line 89: | ||
First RID of the secondary RID range: 100000000 | First RID of the secondary RID range: 100000000 | ||
Range type: local domain range | Range type: local domain range | ||
Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range | Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range | ||
First Posix ID of the range: 10000 | First Posix ID of the range: 10000 | ||
| Line 90: | Line 101: | ||
=== Checking that user from AD has correct UID (as defined in AD) === | === Checking that user from AD has correct UID (as defined in AD) === | ||
# getent passwd testuser@TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM | |||
testuser@tbad.idm.lab.eng.brq.redhat.com:*:10000:50000:Test User:/home/testuser:/bin/sh | |||
=== Adding a trust (forcing the SID-based approach) === | === Adding a trust (forcing the SID-based approach) === | ||
# ipa -d trust-add --type=ad $AD_DOMAIN --admin Administrator --password --range-type ipa-ad-trust | |||
------------------------------------------------------------------------ | |||
Added Active Directory trust for realm "tbad.idm.lab.eng.brq.redhat.com" | |||
------------------------------------------------------------------------ | |||
Realm name: tbad.idm.lab.eng.brq.redhat.com | |||
Domain NetBIOS name: TBAD | |||
Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 | |||
SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, | |||
S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, | |||
S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 | |||
SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, | |||
S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, | |||
S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 | |||
Trust direction: Two-way trust | |||
Trust type: Active Directory domain | |||
Trust status: Established and verified | |||
=== Checking the properties of the range === | === Checking the properties of the range === | ||
# ipa idrange-find | |||
---------------- | |||
2 ranges matched | |||
---------------- | |||
Range name: DOM155.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range | |||
First Posix ID of the range: 877400000 | |||
Number of IDs in the range: 200000 | |||
First RID of the corresponding RID range: 1000 | |||
First RID of the secondary RID range: 100000000 | |||
Range type: local domain range | |||
Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range | |||
First Posix ID of the range: 1218200000 | |||
Number of IDs in the range: 200000 | |||
First RID of the corresponding RID range: 0 | |||
Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726 | |||
Range type: Active Directory domain range | |||
---------------------------- | |||
Number of entries returned 2 | |||
---------------------------- | |||
=== Checking that user does not have UID as defined in AD === | === Checking that user does not have UID as defined in AD === | ||
Revision as of 21:07, 24 July 2013
Description
Using POSIX attributes defined in AD in FreeIPA
Setup
- Setup an Active Directory server (2008 R2 or above).
- Install Services for Identity Management for UNIX Components: http://technet.microsoft.com/en-us/library/cc731178.aspx
How to test
Planned configuration
Instructions below will assume following setup:
- There is Active Directory domain, set up under name AD.LAN. Domain controller for AD.LAN server is dc.ad.lan and has IP-address DC-AD.
- There is FreeIPA realm, set up under name IPA.LAN. FreeIPA server for the realm IPA.LAN is dc.ipa.lan and has IP-address DC-IPA.
FreeIPA realm will gain a short name used for NetBIOS communication, known as 'domain name' in SMB. Usually it is the same as leftmost component of the realm, i.e. IPA for IPA.LAN.
Configure FreeIPA server for trusts
If your
Adding a trust (letting FreeIPA detect the POSIX support)
First we need to check that there are no remnants of the previous trusts on the server.
# ipa idrange-find
--------------- 1 range matched --------------- Range name: DOM139.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 278400000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range ---------------------------- Number of entries returned 1 ----------------------------
# ipa trust-find
---------------- 0 trusts matched ---------------- ---------------------------- Number of entries returned 0 ----------------------------
Make sure that the time with the AD is synchronized.
# ntpdate advm.idm.lab.eng.brq.redhat.com
Add the trust. This can take a while as the FreeIPA is querying AD DC for UNIX information by default.
# ipa trust-add --type=ad $AD_DOMAIN --admin Administrator --password
Active directory domain administrator's password:
------------------------------------------------------------------------
Added Active Directory trust for realm "tbad.idm.lab.eng.brq.redhat.com"
------------------------------------------------------------------------
Realm name: tbad.idm.lab.eng.brq.redhat.com
Domain NetBIOS name: TBAD
Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3,
S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9,
S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14,
S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19,
S-1-5-20
SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3,
S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9,
S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14,
S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19,
S-1-5-20
Trust direction: Two-way trust
Trust type: Active Directory domain
Trust status: Established and verified
Checking the properties of the range
# ipa idrange-find
---------------- 2 ranges matched ---------------- Range name: DOM139.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 278400000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 10000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726 Range type: Active Directory trust range with POSIX attributes ---------------------------- Number of entries returned 2 ----------------------------
Checking that user from AD has correct UID (as defined in AD)
# getent passwd testuser@TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM
testuser@tbad.idm.lab.eng.brq.redhat.com:*:10000:50000:Test User:/home/testuser:/bin/sh
Adding a trust (forcing the SID-based approach)
# ipa -d trust-add --type=ad $AD_DOMAIN --admin Administrator --password --range-type ipa-ad-trust
------------------------------------------------------------------------
Added Active Directory trust for realm "tbad.idm.lab.eng.brq.redhat.com"
------------------------------------------------------------------------
Realm name: tbad.idm.lab.eng.brq.redhat.com
Domain NetBIOS name: TBAD
Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6,
S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15,
S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6,
S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15,
S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
Trust direction: Two-way trust
Trust type: Active Directory domain
Trust status: Established and verified
Checking the properties of the range
# ipa idrange-find ---------------- 2 ranges matched ---------------- Range name: DOM155.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 877400000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 1218200000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726 Range type: Active Directory domain range ---------------------------- Number of entries returned 2 ----------------------------
Checking that user does not have UID as defined in AD
Expected Results
All the test steps should end with the specified results.