From Fedora Project Wiki

No edit summary
No edit summary
Line 26: Line 26:


FreeIPA realm will gain a short name used for NetBIOS communication, known as 'domain name' in SMB. Usually it is the same as leftmost component of the realm, i.e. IPA for IPA.EXAMPLE.ORG.
FreeIPA realm will gain a short name used for NetBIOS communication, known as 'domain name' in SMB. Usually it is the same as leftmost component of the realm, i.e. IPA for IPA.EXAMPLE.ORG.
=== Configure FreeIPA server for trusts ===
If your


=== Adding a trust (letting FreeIPA detect the POSIX support) ===
=== Adding a trust (letting FreeIPA detect the POSIX support) ===
Line 71: Line 67:
Add the trust. This can take a while (up to 30 seconds) as the FreeIPA
Add the trust. This can take a while (up to 30 seconds) as the FreeIPA
is querying AD DC for UNIX information by default.
is querying AD DC for UNIX information by default.
Note that we do not need to specify any additional flags, FreeIPA detects
whether the UNIX support on the AD is available or not.


  # ipa trust-add --type=ad ad.example.org --admin Administrator --password
  # ipa trust-add --type=ad ad.example.org --admin Administrator --password
Line 126: Line 125:


  # getent passwd testuser@AD.EXAMPLE.ORG
  # getent passwd testuser@AD.EXAMPLE.ORG
User should have the UID we defined in the AD, that is, 10000.


  testuser@ad.example.org:*:10000:50000:Test User:/home/testuser:/bin/sh
  testuser@ad.example.org:*:10000:50000:Test User:/home/testuser:/bin/sh
Line 152: Line 153:
==== Adding the trust that does not use POSIX attributes ====
==== Adding the trust that does not use POSIX attributes ====


Now we add the trust, specifying the ipa-ad-local range type, which enforces SID to UID resolution.
Now we add the trust, specifying the ipa-ad-local range type, which enforces SID to UID resolution,
even if the UNIX support on the Active Directory is detected.


  # ipa trust-add --type=ad ad.example.org --admin Administrator --password --range-type ipa-ad-trust
  # ipa trust-add --type=ad ad.example.org --admin Administrator --password --range-type ipa-ad-trust
Line 175: Line 177:


  # ipa idrange-find
  # ipa idrange-find
There should be only two ranges, the local and the trusted domain's one, which should have the "Active Directory domain range" type.
  ----------------
  ----------------
  2 ranges matched
  2 ranges matched
Line 198: Line 203:


  # getent passwd testuser@AD.EXAMPLE.ORG
  # getent passwd testuser@AD.EXAMPLE.ORG
The UID/GID returned should be different from those defined in AD as these come now
from SID -> UID/GID resolution.
  testuser@ad.example.org:*:1218201156:1218201156:Test User:/home/testuser:/bin/sh
  testuser@ad.example.org:*:1218201156:1218201156:Test User:/home/testuser:/bin/sh



Revision as of 22:35, 24 July 2013

Description

Using POSIX attributes defined in AD in FreeIPA

Setup

Setup Active Directory instance

  • Setup an Active Directory server (2008 R2 or above).
    • We assume you are able to set up an Active Directory instance

Services for Identity Management for UNIX Components

  • Install Services for Identity Management for UNIX Components.
  • Restart the Active Directory.
  • Add a user with POSIX attributes defined to Active Directory:
    • Bla bla

Setup FreeIPA instance

How to test

Configuration assumptions

Instructions below will assume following setup:

  • There is an Active Directory domain, set up under name AD.EXAMPLE.ORG. Domain controller for AD.EXAMPLE.ORG server is dc.ad.example.org and has IP-address DC-AD-IPaddr.
  • There is a FreeIPA realm, set up under name IPA.EXAMPLE.ORG. FreeIPA server for the realm IPA.EXAMPLE.ORG is srv.ipa.example.org and has IP-address DC-IPA-IPaddr.

FreeIPA realm will gain a short name used for NetBIOS communication, known as 'domain name' in SMB. Usually it is the same as leftmost component of the realm, i.e. IPA for IPA.EXAMPLE.ORG.

Adding a trust (letting FreeIPA detect the POSIX support)

First we need to check that there are no remnants of the previous trusts on the server.

# ipa idrange-find

There should be only the local range.

---------------
1 range matched
---------------
  Range name: IPA.EXAMPLE.ORG_id_range
  First Posix ID of the range: 278400000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------                                                    
Number of entries returned 1                                                    
----------------------------  
# ipa trust-find

No trust should be configured.

----------------
0 trusts matched
----------------
----------------------------
Number of entries returned 0
----------------------------

Make sure that the time with the AD is synchronized. Otherwise the AD KDC might not talk with FreeIPA since the clock skew might be too great.

# ntpdate dc.ad.example.org

Add the trust. This can take a while (up to 30 seconds) as the FreeIPA is querying AD DC for UNIX information by default.

Note that we do not need to specify any additional flags, FreeIPA detects whether the UNIX support on the AD is available or not.

# ipa trust-add --type=ad ad.example.org --admin Administrator --password
Active directory domain administrator's password: 
------------------------------------------------------------------------
Added Active Directory trust for realm "ad.example.org"
------------------------------------------------------------------------
  Realm name: ad.example.org
  Domain NetBIOS name: AD
  Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3,
                          S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9,
                          S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14,
                          S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19,
                          S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3,
                          S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9,
                          S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14,
                          S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19,
                          S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

Checking the properties of the range

# ipa idrange-find

You should see the trusted domain's range as well as the local domain range. The size of the range should be at least 200 000. The range should be of "Active Directory trust range with POSIX attributes" type.

----------------
2 ranges matched
----------------
  Range name: IPA.EXAMPLE.ORG_id_range
  First Posix ID of the range: 278400000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range

  Range name: AD.EXAMPLE.ORG_id_range
  First Posix ID of the range: 10000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726
  Range type: Active Directory trust range with POSIX attributes
----------------------------
Number of entries returned 2
----------------------------

Checking that user from AD has correct UID (as defined in AD)

# getent passwd testuser@AD.EXAMPLE.ORG

User should have the UID we defined in the AD, that is, 10000.

testuser@ad.example.org:*:10000:50000:Test User:/home/testuser:/bin/sh


Adding a trust (forcing the SID-based approach)

Cleanup

First we delete the trust and the associated range.

# ipa trust-del ad.example.org
-----------------------------------------------
Deleted trust "ad.example.org"
-----------------------------------------------
# ipa idrange-del AD.EXAMPLE.ORG_id_range
-----------------------------------------------------------
Deleted ID range "AD.EXAMPLE.ORG_id_range"
-----------------------------------------------------------

We need to clear sssd cache, so that query for the testuser is not resolved from cache.

# systemctl stop sssd
# rm -rf /var/lib/sss/db/*
# systemctl start sssd

Adding the trust that does not use POSIX attributes

Now we add the trust, specifying the ipa-ad-local range type, which enforces SID to UID resolution, even if the UNIX support on the Active Directory is detected.

# ipa trust-add --type=ad ad.example.org --admin Administrator --password --range-type ipa-ad-trust
------------------------------------------------------------------------
Added Active Directory trust for realm "ad.example.org"
------------------------------------------------------------------------
  Realm name: ad.example.org
  Domain NetBIOS name: AD
  Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6,
                          S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15,
                          S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6,
                          S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15,
                          S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

Checking the properties of the range

# ipa idrange-find

There should be only two ranges, the local and the trusted domain's one, which should have the "Active Directory domain range" type.

----------------
2 ranges matched
----------------
  Range name: IPA.EXAMPLE.ORG_id_range
  First Posix ID of the range: 877400000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range

  Range name: AD.EXAMPLE.ORG_id_range
  First Posix ID of the range: 1218200000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726
  Range type: Active Directory domain range
----------------------------
Number of entries returned 2
----------------------------

Checking that user does not have UID as defined in AD

# getent passwd testuser@AD.EXAMPLE.ORG

The UID/GID returned should be different from those defined in AD as these come now from SID -> UID/GID resolution.

testuser@ad.example.org:*:1218201156:1218201156:Test User:/home/testuser:/bin/sh

Expected Results

All the test steps should end with the specified results.