Bug 1002649

Summary: [RFE] Expose POSIX data from AD for the legacy systems connecting to IPA that trusts that AD
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED CURRENTRELEASE QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: abokovoy, rcritten, sgoveas
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.3.1-1.el7 Doc Type: Technology Preview
Doc Text:
IdM and SSSD have been enhanced to support cross realm Kerberos trusts with Active Directory. Earlier versions of SSSD (RHEL 6.3 and earlier) and other client software like nss-pam-ldap or nss_ldap/pam_ldap do not have built-in capabilities to participate in the cross realm trust relationships. To address this issue IdM has been extended to expose identities from the trusted AD forest to the older clients. With new slapi-nis plugin on IdM server, legacy clients can get information about AD users from IdM and authenticate these users against their home domain.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 09:49:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1004480    

Description Dmitri Pal 2013-08-29 16:14:49 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3567

When legacy systems connect to IPA they need UID/GID for the users they look up. When there is a trust relationship between IPA and AD there are no UIDs replicated to IPA so it is hard to provide anything to the legacy systems. To solve this problem we decided to create a new DS plugin.

This DS plugin will work similarly to the compat plugin. 

 * It will expose a tree but it will get it by quering SSSD using a getpwnam/getgrnam interface. It will create RFC2307 (not bis) objects.
 * Authentication would also go through SSSD via PAM-PASSTHRU from the directory server.
 * A special research should be conducted around handling of the TGT that is stored on the IPA server in this case. It is unclear what should be done with it. 
 * The compat tree should also deal with user name normalizations and expose only short names however there should be a clear way to deal with collisions in this case. May be it should be a configuration option of the plugin that would define the precedence, i.e. whether IPA user wins over the AD user or vice verse. Colliding AD users might be a challenge too and might require special handling and logging.
 * Since group enumeration is needed by legacy clients e.g. to look up all groups a user is member of (initgroups()) it makes sense to enable enumeration for the AD lookups in SSSD on the server. The impact should be investigated.

Related SSSD ticket is https://fedorahosted.org/sssd/ticket/1881
Comment 1 Dmitri Pal 2013-08-29 16:16:20 UTC 
Linked to https://fedorahosted.org/freeipa/ticket/3670
Comment 2 Rob Crittenden 2013-08-30 13:31:30 UTC 
FreeIPA configuration part pushed:

master: e95a7b1b8db9fb12c25fd371cac627352c5e93fb 

slapi-nis configuration changed a bit:

master: 7ae58f0ca92e4a573e62aa4e770e12062bb2ddff

New slapi-nis was released, this concludes this effort and ticket:

e57a9ae7d8031ec0bf9a0600ac75fee324b63a3f Add requires for slapi-nis and SSSD

Legacy client tool

master: c81849712f8888e6f12b7c2b7ebfcf5d2294addd
Comment 4 Steeve Goveas 2014-01-29 12:45:49 UTC 
On master Posix range is added with trust add

[2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54] <DEBUG>: RUN ['ipa', 'idrange-show', 'ADPOSIX.QE_id_range', '--all', '--raw']
[2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>:   dn: cn=ADPOSIX.QE_id_range,cn=ranges,cn=etc,dc=testrelm,dc=com
[2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>:   cn: ADPOSIX.QE_id_range
[2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>:   ipaBaseID: 10000
[2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>:   ipaBaseRID: 0
[2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>:   ipaIDRangeSize: 200000
[2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>:   ipaNTTrustedDomainSID: S-1-5-21-3655340000-3880942204-3419777279
[2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>:   ipaRangeType: ipa-ad-trust-posix
[2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>:   objectClass: ipaIDrange
[2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>:   objectClass: ipatrustedaddomainrange
[2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54] <DEBUG>: Exit code: 0

* on legacy clients with nss_ldap, nss-pam-ldapd and sssd-1.5

[2014-01-21T08:51:21Z ipa.ipatests.test_integration.host.Host.intel-s5000phb-01.cmd56] <DEBUG>: RUN ['getent', 'passwd', 'testuser']
[2014-01-21T08:51:23Z ipa.ipatests.test_integration.host.Host.intel-s5000phb-01.cmd56.out] <DEBUG>: testuser:*:10042:10047:Test User:/home/testuser:/bin/sh
[2014-01-21T08:51:23Z ipa.ipatests.test_integration.host.Host.intel-s5000phb-01.cmd56] <DEBUG>: Exit code: 0

[2014-01-21T08:51:23Z ipa.ipatests.test_integration.host.Host.intel-s5000phb-01.cmd57] <DEBUG>: RUN ['getent', 'group', 'testgroup']
[2014-01-21T08:51:26Z ipa.ipatests.test_integration.host.Host.intel-s5000phb-01.cmd57.out] <DEBUG>: testgroup:*:10047:testuser
[2014-01-21T08:51:26Z ipa.ipatests.test_integration.host.Host.intel-s5000phb-01.cmd57] <DEBUG>: Exit code: 0


Verified in version
ipa-server-3.3.3-13.el7.x86_64
Comment 5 Alexander Bokovoy 2014-05-20 10:31:12 UTC 
Updated the doc text to better reflect what is really implemented.
Comment 6 Ludek Smid 2014-06-13 09:49:49 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.