1002649 – [RFE] Expose POSIX data from AD for the legacy systems connecting to IPA that trusts that AD

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1002649 - [RFE] Expose POSIX data from AD for the legacy systems connecting to IPA that trusts that AD

Summary: [RFE] Expose POSIX data from AD for the legacy systems connecting to IPA that...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1004480
TreeView+	depends on / blocked

Reported:	2013-08-29 16:14 UTC by Dmitri Pal
Modified:	2014-06-18 00:11 UTC (History)
CC List:	3 users (show)
Fixed In Version:	ipa-3.3.1-1.el7
Doc Type:	Technology Preview
Doc Text:	IdM and SSSD have been enhanced to support cross realm Kerberos trusts with Active Directory. Earlier versions of SSSD (RHEL 6.3 and earlier) and other client software like nss-pam-ldap or nss_ldap/pam_ldap do not have built-in capabilities to participate in the cross realm trust relationships. To address this issue IdM has been extended to expose identities from the trusted AD forest to the older clients. With new slapi-nis plugin on IdM server, legacy clients can get information about AD users from IdM and authenticate these users against their home domain.
Clone Of:
Environment:
Last Closed:	2014-06-13 09:49:49 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Dmitri Pal 2013-08-29 16:14:49 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3567

When legacy systems connect to IPA they need UID/GID for the users they look up. When there is a trust relationship between IPA and AD there are no UIDs replicated to IPA so it is hard to provide anything to the legacy systems. To solve this problem we decided to create a new DS plugin.

This DS plugin will work similarly to the compat plugin.

* It will expose a tree but it will get it by quering SSSD using a getpwnam/getgrnam interface. It will create RFC2307 (not bis) objects.
* Authentication would also go through SSSD via PAM-PASSTHRU from the directory server.
* A special research should be conducted around handling of the TGT that is stored on the IPA server in this case. It is unclear what should be done with it.
* The compat tree should also deal with user name normalizations and expose only short names however there should be a clear way to deal with collisions in this case. May be it should be a configuration option of the plugin that would define the precedence, i.e. whether IPA user wins over the AD user or vice verse. Colliding AD users might be a challenge too and might require special handling and logging.
* Since group enumeration is needed by legacy clients e.g. to look up all groups a user is member of (initgroups()) it makes sense to enable enumeration for the AD lookups in SSSD on the server. The impact should be investigated.

Related SSSD ticket is https://fedorahosted.org/sssd/ticket/1881

Comment 1 Dmitri Pal 2013-08-29 16:16:20 UTC

Linked to https://fedorahosted.org/freeipa/ticket/3670

Comment 2 Rob Crittenden 2013-08-30 13:31:30 UTC

FreeIPA configuration part pushed:

master: e95a7b1b8db9fb12c25fd371cac627352c5e93fb 

slapi-nis configuration changed a bit:

master: 7ae58f0ca92e4a573e62aa4e770e12062bb2ddff

New slapi-nis was released, this concludes this effort and ticket:

e57a9ae7d8031ec0bf9a0600ac75fee324b63a3f Add requires for slapi-nis and SSSD

Legacy client tool

master: c81849712f8888e6f12b7c2b7ebfcf5d2294addd

Comment 4 Steeve Goveas 2014-01-29 12:45:49 UTC

On master Posix range is added with trust add

[2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54] <DEBUG>: RUN ['ipa', 'idrange-show', 'ADPOSIX.QE_id_range', '--all', '--raw']
[2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>:   dn: cn=ADPOSIX.QE_id_range,cn=ranges,cn=etc,dc=testrelm,dc=com
[2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>:   cn: ADPOSIX.QE_id_range
[2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>:   ipaBaseID: 10000
[2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>:   ipaBaseRID: 0
[2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>:   ipaIDRangeSize: 200000
[2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>:   ipaNTTrustedDomainSID: S-1-5-21-3655340000-3880942204-3419777279
[2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>:   ipaRangeType: ipa-ad-trust-posix
[2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>:   objectClass: ipaIDrange
[2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54.out] <DEBUG>:   objectClass: ipatrustedaddomainrange
[2014-01-21T08:50:47Z ipa.ipatests.test_integration.host.Host.hp-bl280cg6-01.cmd54] <DEBUG>: Exit code: 0

* on legacy clients with nss_ldap, nss-pam-ldapd and sssd-1.5

[2014-01-21T08:51:21Z ipa.ipatests.test_integration.host.Host.intel-s5000phb-01.cmd56] <DEBUG>: RUN ['getent', 'passwd', 'testuser']
[2014-01-21T08:51:23Z ipa.ipatests.test_integration.host.Host.intel-s5000phb-01.cmd56.out] <DEBUG>: testuser:*:10042:10047:Test User:/home/testuser:/bin/sh
[2014-01-21T08:51:23Z ipa.ipatests.test_integration.host.Host.intel-s5000phb-01.cmd56] <DEBUG>: Exit code: 0

[2014-01-21T08:51:23Z ipa.ipatests.test_integration.host.Host.intel-s5000phb-01.cmd57] <DEBUG>: RUN ['getent', 'group', 'testgroup']
[2014-01-21T08:51:26Z ipa.ipatests.test_integration.host.Host.intel-s5000phb-01.cmd57.out] <DEBUG>: testgroup:*:10047:testuser
[2014-01-21T08:51:26Z ipa.ipatests.test_integration.host.Host.intel-s5000phb-01.cmd57] <DEBUG>: Exit code: 0


Verified in version
ipa-server-3.3.3-13.el7.x86_64

Comment 5 Alexander Bokovoy 2014-05-20 10:31:12 UTC

Updated the doc text to better reflect what is really implemented.

Comment 6 Ludek Smid 2014-06-13 09:49:49 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.