Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/3567 When legacy systems connect to IPA they need UID/GID for the users they look up. When there is a trust relationship between IPA and AD there are no UIDs replicated to IPA so it is hard to provide anything to the legacy systems. To solve this problem we decided to create a new DS plugin. This DS plugin will work similarly to the compat plugin. * It will expose a tree but it will get it by quering SSSD using a getpwnam/getgrnam interface. It will create RFC2307 (not bis) objects. * Authentication would also go through SSSD via PAM-PASSTHRU from the directory server. * A special research should be conducted around handling of the TGT that is stored on the IPA server in this case. It is unclear what should be done with it. * The compat tree should also deal with user name normalizations and expose only short names however there should be a clear way to deal with collisions in this case. May be it should be a configuration option of the plugin that would define the precedence, i.e. whether IPA user wins over the AD user or vice verse. Colliding AD users might be a challenge too and might require special handling and logging. * Since group enumeration is needed by legacy clients e.g. to look up all groups a user is member of (initgroups()) it makes sense to enable enumeration for the AD lookups in SSSD on the server. The impact should be investigated. Related SSSD ticket is https://fedorahosted.org/sssd/ticket/1881
Linked to https://fedorahosted.org/freeipa/ticket/3670
FreeIPA configuration part pushed: master: e95a7b1b8db9fb12c25fd371cac627352c5e93fb slapi-nis configuration changed a bit: master: 7ae58f0ca92e4a573e62aa4e770e12062bb2ddff New slapi-nis was released, this concludes this effort and ticket: e57a9ae7d8031ec0bf9a0600ac75fee324b63a3f Add requires for slapi-nis and SSSD Legacy client tool master: c81849712f8888e6f12b7c2b7ebfcf5d2294addd
On master Posix range is added with trust add [2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54] <DEBUG>: RUN ['ipa', 'idrange-show', 'ADPOSIX.QE_id_range', '--all', '--raw'] [2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>: dn: cn=ADPOSIX.QE_id_range,cn=ranges,cn=etc,dc=testrelm,dc=com [2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>: cn: ADPOSIX.QE_id_range [2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>: ipaBaseID: 10000 [2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>: ipaBaseRID: 0 [2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>: ipaIDRangeSize: 200000 [2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>: ipaNTTrustedDomainSID: S-1-5-21-3655340000-3880942204-3419777279 [2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>: ipaRangeType: ipa-ad-trust-posix [2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>: objectClass: ipaIDrange [2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>: objectClass: ipatrustedaddomainrange [2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54] <DEBUG>: Exit code: 0 * on legacy clients with nss_ldap, nss-pam-ldapd and sssd-1.5 [2014-01-21T08:51:21Z ipa.ipatests.test_integration.host.Host.intel-s5000phb-01.cmd56] <DEBUG>: RUN ['getent', 'passwd', 'testuser'] [2014-01-21T08:51:23Z ipa.ipatests.test_integration.host.Host.intel-s5000phb-01.cmd56.out] <DEBUG>: testuser:*:10042:10047:Test User:/home/testuser:/bin/sh [2014-01-21T08:51:23Z ipa.ipatests.test_integration.host.Host.intel-s5000phb-01.cmd56] <DEBUG>: Exit code: 0 [2014-01-21T08:51:23Z ipa.ipatests.test_integration.host.Host.intel-s5000phb-01.cmd57] <DEBUG>: RUN ['getent', 'group', 'testgroup'] [2014-01-21T08:51:26Z ipa.ipatests.test_integration.host.Host.intel-s5000phb-01.cmd57.out] <DEBUG>: testgroup:*:10047:testuser [2014-01-21T08:51:26Z ipa.ipatests.test_integration.host.Host.intel-s5000phb-01.cmd57] <DEBUG>: Exit code: 0 Verified in version ipa-server-3.3.3-13.el7.x86_64
Updated the doc text to better reflect what is really implemented.
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.