Description

Using POSIX attributes defined in AD in FreeIPA

Setup

• Setup an Active Directory server (2008 R2 or above).
• Install Services for Identity Management for UNIX Components: http://technet.microsoft.com/en-us/library/cc731178.aspx

How to test

Planned configuration

Instructions below will assume following setup:

• There is Active Directory domain, set up under name AD.LAN. Domain controller for AD.LAN server is dc.ad.lan and has IP-address DC-AD.
• There is FreeIPA realm, set up under name IPA.LAN. FreeIPA server for the realm IPA.LAN is dc.ipa.lan and has IP-address DC-IPA.

FreeIPA realm will gain a short name used for NetBIOS communication, known as 'domain name' in SMB. Usually it is the same as leftmost component of the realm, i.e. IPA for IPA.LAN.

Steps to prepare for trust-add

Adding a trust (letting FreeIPA detect the POSIX support)

Checking the properties of the range

Checking that user from AD has correct UID (as defined in AD)

Adding a trust (forcing the SID-based approach)

Checking the properties of the range

Checking that user does not have UID as defined in AD

Expected Results

All the test steps should end with the specified results.