Revision as of 21:15, 24 July 2013

Description

Using POSIX attributes defined in AD in FreeIPA

Setup

Setup an Active Directory server (2008 R2 or above).
Install Services for Identity Management for UNIX Components: http://technet.microsoft.com/en-us/library/cc731178.aspx

How to test

Planned configuration

Instructions below will assume following setup:

There is Active Directory domain, set up under name AD.LAN. Domain controller for AD.LAN server is dc.ad.lan and has IP-address DC-AD.
There is FreeIPA realm, set up under name IPA.LAN. FreeIPA server for the realm IPA.LAN is dc.ipa.lan and has IP-address DC-IPA.

FreeIPA realm will gain a short name used for NetBIOS communication, known as 'domain name' in SMB. Usually it is the same as leftmost component of the realm, i.e. IPA for IPA.LAN.

Configure FreeIPA server for trusts

If your

Adding a trust (letting FreeIPA detect the POSIX support)

First we need to check that there are no remnants of the previous trusts on the server.

# ipa idrange-find

---------------
1 range matched
---------------
  Range name: DOM139.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
  First Posix ID of the range: 278400000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------                                                    
Number of entries returned 1                                                    
----------------------------

# ipa trust-find

----------------
0 trusts matched
----------------
----------------------------
Number of entries returned 0
----------------------------

Make sure that the time with the AD is synchronized.

# ntpdate advm.idm.lab.eng.brq.redhat.com

Add the trust. This can take a while as the FreeIPA is querying AD DC for UNIX information by default.

# ipa trust-add --type=ad $AD_DOMAIN --admin Administrator --password

Active directory domain administrator's password: 
------------------------------------------------------------------------
Added Active Directory trust for realm "tbad.idm.lab.eng.brq.redhat.com"
------------------------------------------------------------------------
  Realm name: tbad.idm.lab.eng.brq.redhat.com
  Domain NetBIOS name: TBAD
  Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3,
                          S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9,
                          S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14,
                          S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19,
                          S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3,
                          S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9,
                          S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14,
                          S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19,
                          S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

Checking the properties of the range

# ipa idrange-find

----------------
2 ranges matched
----------------
  Range name: DOM139.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
  First Posix ID of the range: 278400000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range

  Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
  First Posix ID of the range: 10000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726
  Range type: Active Directory trust range with POSIX attributes
----------------------------
Number of entries returned 2
----------------------------

Checking that user from AD has correct UID (as defined in AD)

# getent passwd testuser@TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM

testuser@tbad.idm.lab.eng.brq.redhat.com:*:10000:50000:Test User:/home/testuser:/bin/sh

Adding a trust (forcing the SID-based approach)

Cleanup

First we delete the trust and the associated range.

# ipa trust-del $AD_DOMAIN
-----------------------------------------------
Deleted trust "tbad.idm.lab.eng.brq.redhat.com"
-----------------------------------------------
# ipa idrange-del TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
-----------------------------------------------------------
Deleted ID range "TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range"
-----------------------------------------------------------

We need to clear sssd cache, so that query for the testuser is not resolved from cache.

# systemctl stop sssd
# rm -rf /var/lib/sss/db/*
# systemctl start sssd

Adding the trust that does not use POSIX attributes

Now we add the trust, specifying the ipa-ad-local range type, which enforces SID to UID resolution.

# ipa trust-add --type=ad $AD_DOMAIN --admin Administrator --password --range-type ipa-ad-trust

------------------------------------------------------------------------
Added Active Directory trust for realm "tbad.idm.lab.eng.brq.redhat.com"
------------------------------------------------------------------------
  Realm name: tbad.idm.lab.eng.brq.redhat.com
  Domain NetBIOS name: TBAD
  Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6,
                          S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15,
                          S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6,
                          S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15,
                          S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

Checking the properties of the range

# ipa idrange-find
----------------
2 ranges matched
----------------
  Range name: DOM155.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
  First Posix ID of the range: 877400000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range

  Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
  First Posix ID of the range: 1218200000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726
  Range type: Active Directory domain range
----------------------------
Number of entries returned 2
----------------------------

Checking that user does not have UID as defined in AD

# getent passwd testuser@TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM
testuser@tbad.idm.lab.eng.brq.redhat.com:*:1218201156:1218201156:Test User:/home/testuser:/bin/sh

Expected Results

All the test steps should end with the specified results.

Search

QA:Testcase freeipa using posix attributes in ad: Difference between revisions

Revision as of 21:15, 24 July 2013

Contents

Description

Setup

How to test

Planned configuration

Configure FreeIPA server for trusts

Adding a trust (letting FreeIPA detect the POSIX support)

Checking the properties of the range

Checking that user from AD has correct UID (as defined in AD)

Adding a trust (forcing the SID-based approach)

Cleanup

Adding the trust that does not use POSIX attributes

Checking the properties of the range

Checking that user does not have UID as defined in AD

Expected Results

@@ Line 105: / Line 105: @@
   testuser@tbad.idm.lab.eng.brq.redhat.com:*:10000:50000:Test User:/home/testuser:/bin/sh
 === Adding a trust (forcing the SID-based approach) ===
-  # ipa -d trust-add --type=ad $AD_DOMAIN --admin Administrator --password --range-type ipa-ad-trust
+==== Cleanup ====
+First we delete the trust and the associated range.
+  # ipa trust-del $AD_DOMAIN
+ -----------------------------------------------
+ Deleted trust "tbad.idm.lab.eng.brq.redhat.com"
+ -----------------------------------------------
+ # ipa idrange-del TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range
+ -----------------------------------------------------------
+ Deleted ID range "TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range"
+ -----------------------------------------------------------
+We need to clear sssd cache, so that query for the testuser is not resolved from cache.
+ # systemctl stop sssd
+ # rm -rf /var/lib/sss/db/*
+ # systemctl start sssd
+==== Adding the trust that does not use POSIX attributes ====
+Now we add the trust, specifying the ipa-ad-local range type, which enforces SID to UID resolution.
+ # ipa trust-add --type=ad $AD_DOMAIN --admin Administrator --password --range-type ipa-ad-trust
   ------------------------------------------------------------------------
@@ Line 125: / Line 149: @@
     Trust status: Established and verified
-=== Checking the properties of the range ===
+==== Checking the properties of the range ====
   # ipa idrange-find
@@ Line 148: / Line 172: @@
   ----------------------------
-=== Checking that user does not have UID as defined in AD ===
+==== Checking that user does not have UID as defined in AD ====
+ # getent passwd testuser@TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM
+ testuser@tbad.idm.lab.eng.brq.redhat.com:*:1218201156:1218201156:Test User:/home/testuser:/bin/sh
 |results=