Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1181853

Summary: [RFE] Add Global Catalog to allow authentication of IdM users within AD domain
Product: Red Hat Enterprise Linux 9 Reporter: Clifton Coursey <ccoursey>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED MIGRATED QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: high    
Version: unspecifiedCC: abokovoy, afarley, aperotti, baptiste.agasse, bobby.prins, ddas, dminnich, dthursto, ekeck, frenaud, j.bittner, jhunt, jkastnin, jshivers, ksiddiqu, mbogdano, mkosek, mpanaous, pasik, pvoborni, rcritten, tscherf
Target Milestone: betaKeywords: FutureFeature, MigratedToJIRA, Triaged
Target Release: ---Flags: jkastnin: needinfo-
pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-09-18 17:50:41 UTC Type: Story
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1398653, 1421663    
Bug Blocks: 1411762    

Description Clifton Coursey 2015-01-13 22:53:21 UTC 
Description of problem:
Customers would like to be able to use their IdM users to log on to Window clients that a part of the trusted domain.

Version-Release number of selected component (if applicable):
ipa-server-4.1.0
ipa-server-trust-ad-4.1.0

How reproducible:
100 %

Steps to Reproduce:
1. Set normal cross-realm trust 
2. IdM users are not able to log on to Windows clients
3. Global Catalog plugin/feature/option will need to be added.

Actual results:
Login not possible

Expected results:
Login is acceptable


Additional info:
Comment 1 Martin Kosek 2015-01-15 09:35:28 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3125
Comment 9 Martin Kosek 2016-12-08 15:15:37 UTC 
Please note that the first version of this feature would not cover all use possible use cases that an IdM user could do on a Windows client. It will cover basic use cases that will be enabled by adding a Global Catalog to IdM Server. Next use case can be investigated after this step.

Having said that, this is the current set of User Stories that we are managing:

User Story 1: As a Windows Administrator I want to add IdM Users and Groups to the access control lists of resources in Active Directory, so that I can let IdM user log into to Windows client enrolled with Windows Server and file shares.
- Acceptance Criteria
     * I can enable "Allow logon locally" Global Policy for a special group with all IdM users or a selected IdM Group or an IdM User to later enable local logon
     * I can add a special group with all IdM users, selected IdM Group or IdM User to "Remote Desktop Users" group to later enable remote logon
     * I can grant access to a file share located on Windows Servers
     * Limitation: the use cases not explicitly called out above may or may not work and are not supported in the first implementation.

User Story 2: As an IdM User I'm able to login remotely or locally to Windows client enrolled in Windows Server, so that the user can use file shares or run a Windows application.
- Acceptance Criteria
     * Prerequisite: this workflow requires a bi-directional Trust between IdM Server and AD Forest Root and a Workstation enrolled in the forest's domain
     * When allowed, IdM user can login with his user and password to local Windows terminal
     * When allowed, IdM user can login with his user and password to remote Windows terminal using RDP client (test with FreeRDP)
     * IdM user can open, modify or delete a file in a folder, when allowed by respective Windows folder ACL
     * IdM user can run a Windows application that does not require any additional interfaces (like SMB or DCE RPC) available on IdM Server


Comments and suggestions welcome!
Comment 25 Martin Kosek 2019-02-11 07:47:21 UTC 
The RFE would be targeted primarily for RHEL-8.1 or later, not for RHEL-7.x - moving Bug to another product.
Comment 28 Alexander Bokovoy 2020-07-07 14:21:54 UTC 
Current state is recorded in SambaXP'2020 talk:
slides: https://sambaxp.org/archive-data-samba/sxp20/sxp20-d2/sxp20-d2t2-1-bokovoy-blancrenaud-FreeIPA-Catalog.pdf
video (and demo): https://sambaxp.org/archive-data-samba/sxp20/sxp20-d2/sxp20-d2t2-1-bokovoy-blancrenaud.mp4
Comment 55 RHEL Program Management 2023-09-18 17:45:40 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.
Comment 56 RHEL Program Management 2023-09-18 17:50:41 UTC 
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.