(Created page with "{{QA/Test_Case |description=Using POSIX attributes defined in AD in FreeIPA |setup= * Setup an Active Directory server (2008 R2 or above). * Install Services for Identity Mana...") |
No edit summary |
||
(14 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
|description=Using POSIX attributes defined in AD in FreeIPA | |description=Using POSIX attributes defined in AD in FreeIPA | ||
|setup= | |setup= | ||
=== Setup Active Directory instance === | |||
* Setup an Active Directory server (2008 R2 or above). | * Setup an Active Directory server (2008 R2 or above). | ||
* Install Services for Identity Management for UNIX Components: http://technet.microsoft.com/en-us/library/cc731178.aspx | ** We assume you are able to set up an Active Directory instance | ||
=== Services for Identity Management for UNIX Components === | |||
* Install Services for Identity Management for UNIX Components. | |||
** Please follow the following article: http://technet.microsoft.com/en-us/library/cc731178.aspx | |||
** Installation steps depend on your version of Active Directory, byt generally are very simple and do no take more than 2 minutes to complete. | |||
* Restart the Active Directory. | |||
* Add a user with POSIX attributes defined to Active Directory: | |||
** Start Active Directory Users and Computers tool. | |||
** Select Users folder, open context menu and select New -> Group | |||
** Create a new group with the name testgroup (keep default settings, that is Global scope and type security) | |||
** Open the context menu for the group and select Properties. | |||
** Select UNIX Attributes tab | |||
** Choose NIS domain AD and fill in the GID (should not be lower than 10000). | |||
** Select Users folder, open context menu and select New -> User. | |||
** Fill in the First and last name, uset ''testuser'' as a logon name. | |||
** Create a password for the user (uncheck the "User must change password on the next logon" checkbox). By the default complexity requirements, the password must use at least three character classes, i.e. Secret123. | |||
** Open the context menu for the user and select Properties. | |||
** Select UNIX Attributes tab | |||
** Choose NIS domain AD and fill in the UID (should not be lower than 10000) and corresponding GID for testgroup. | |||
=== Setup FreeIPA instance === | |||
* Please follow [[QA:Testcase_freeipa_trust_server_installation]] and consenquently [[QA:Testcase_freeipa_prepare_server_for_trusts]] in order to set up a FreeIPA instance for this test. | |||
|actions= | |actions= | ||
=== | === Configuration assumptions === | ||
Instructions below will assume following setup: | Instructions below will assume following setup: | ||
* There is Active Directory domain, set up under name AD. | * There is an Active Directory domain, set up under name AD.EXAMPLE.ORG. Domain controller for AD.EXAMPLE.ORG server is dc.ad.example.org and has IP-address DC-AD-IPaddr. | ||
* There is FreeIPA realm, set up under name IPA. | * There is a FreeIPA realm, set up under name IPA.EXAMPLE.ORG. FreeIPA server for the realm IPA.EXAMPLE.ORG is srv.ipa.example.org and has IP-address DC-IPA-IPaddr. | ||
FreeIPA realm will gain a short name used for NetBIOS communication, known as 'domain name' in SMB. Usually it is the same as leftmost component of the realm, i.e. IPA for IPA. | FreeIPA realm will gain a short name used for NetBIOS communication, known as 'domain name' in SMB. Usually it is the same as leftmost component of the realm, i.e. IPA for IPA.EXAMPLE.ORG. | ||
=== | === Adding a trust (letting FreeIPA detect the POSIX support) === | ||
=== | First we need to check that there are no remnants of the previous | ||
trusts on the server. | |||
# ipa idrange-find | |||
There should be only the local range. | |||
--------------- | |||
1 range matched | |||
--------------- | |||
Range name: IPA.EXAMPLE.ORG_id_range | |||
First Posix ID of the range: 278400000 | |||
Number of IDs in the range: 200000 | |||
First RID of the corresponding RID range: 1000 | |||
First RID of the secondary RID range: 100000000 | |||
Range type: local domain range | |||
---------------------------- | |||
Number of entries returned 1 | |||
---------------------------- | |||
# ipa trust-find | |||
No trust should be configured. | |||
---------------- | |||
0 trusts matched | |||
---------------- | |||
---------------------------- | |||
Number of entries returned 0 | |||
---------------------------- | |||
Make sure that the time with the AD is synchronized. Otherwise the AD | |||
KDC might not talk with FreeIPA since the clock skew might be too great. | |||
# ntpdate dc.ad.example.org | |||
Add the trust. This can take a while (up to 30 seconds) as the FreeIPA | |||
is querying AD DC for UNIX information by default. | |||
Note that we do not need to specify any additional flags, FreeIPA detects | |||
whether the UNIX support on the AD is available or not. | |||
# ipa trust-add --type=ad ad.example.org --admin Administrator --password | |||
Active directory domain administrator's password: | |||
------------------------------------------------------------------------ | |||
Added Active Directory trust for realm "ad.example.org" | |||
------------------------------------------------------------------------ | |||
Realm name: ad.example.org | |||
Domain NetBIOS name: AD | |||
Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 | |||
SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, | |||
S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, | |||
S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, | |||
S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, | |||
S-1-5-20 | |||
SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, | |||
S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, | |||
S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, | |||
S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, | |||
S-1-5-20 | |||
Trust direction: Two-way trust | |||
Trust type: Active Directory domain | |||
Trust status: Established and verified | |||
==== Checking the properties of the range ==== | |||
# ipa idrange-find | |||
You should see the trusted domain's range as well as the local domain range. | |||
The size of the range should be at least 200 000. The range should be of | |||
"Active Directory trust range with POSIX attributes" type. | |||
---------------- | |||
2 ranges matched | |||
---------------- | |||
Range name: IPA.EXAMPLE.ORG_id_range | |||
First Posix ID of the range: 278400000 | |||
Number of IDs in the range: 200000 | |||
First RID of the corresponding RID range: 1000 | |||
First RID of the secondary RID range: 100000000 | |||
Range type: local domain range | |||
Range name: AD.EXAMPLE.ORG_id_range | |||
First Posix ID of the range: 10000 | |||
Number of IDs in the range: 200000 | |||
First RID of the corresponding RID range: 0 | |||
Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726 | |||
Range type: Active Directory trust range with POSIX attributes | |||
---------------------------- | |||
Number of entries returned 2 | |||
---------------------------- | |||
==== Checking that user from AD has correct UID (as defined in AD) ==== | |||
# getent passwd testuser@AD.EXAMPLE.ORG | |||
User should have the UID we defined in the AD. GID should belong to the testgroup. | |||
testuser@ad.example.org:*:10000:10000:Test User:/home/testuser:/bin/sh | |||
Check that with: | |||
# getent group testgroup@AD.EXAMPLE.ORG | |||
=== Adding a trust (forcing the SID-based approach) === | === Adding a trust (forcing the SID-based approach) === | ||
=== Checking the properties of the range ==== | ==== Cleanup ==== | ||
First we delete the trust and the associated range. | |||
# ipa trust-del ad.example.org | |||
----------------------------------------------- | |||
Deleted trust "ad.example.org" | |||
----------------------------------------------- | |||
# ipa idrange-del AD.EXAMPLE.ORG_id_range | |||
----------------------------------------------------------- | |||
Deleted ID range "AD.EXAMPLE.ORG_id_range" | |||
----------------------------------------------------------- | |||
We need to clear sssd cache, so that query for the testuser is not resolved from cache. | |||
# systemctl stop sssd | |||
# rm -rf /var/lib/sss/db/* | |||
# systemctl start sssd | |||
==== Adding the trust that does not use POSIX attributes ==== | |||
Now we add the trust, specifying the ipa-ad-local range type, which enforces SID to UID resolution, | |||
even if the UNIX support on the Active Directory is detected. | |||
# ipa trust-add --type=ad ad.example.org --admin Administrator --password --range-type ipa-ad-trust | |||
------------------------------------------------------------------------ | |||
Added Active Directory trust for realm "ad.example.org" | |||
------------------------------------------------------------------------ | |||
Realm name: ad.example.org | |||
Domain NetBIOS name: AD | |||
Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 | |||
SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, | |||
S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, | |||
S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 | |||
SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, | |||
S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, | |||
S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 | |||
Trust direction: Two-way trust | |||
Trust type: Active Directory domain | |||
Trust status: Established and verified | |||
==== Checking the properties of the range ==== | |||
# ipa idrange-find | |||
There should be only two ranges, the local and the trusted domain's one, which should have the "Active Directory domain range" type. | |||
---------------- | |||
2 ranges matched | |||
---------------- | |||
Range name: IPA.EXAMPLE.ORG_id_range | |||
First Posix ID of the range: 877400000 | |||
Number of IDs in the range: 200000 | |||
First RID of the corresponding RID range: 1000 | |||
First RID of the secondary RID range: 100000000 | |||
Range type: local domain range | |||
Range name: AD.EXAMPLE.ORG_id_range | |||
First Posix ID of the range: 1218200000 | |||
Number of IDs in the range: 200000 | |||
First RID of the corresponding RID range: 0 | |||
Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726 | |||
Range type: Active Directory domain range | |||
---------------------------- | |||
Number of entries returned 2 | |||
---------------------------- | |||
==== Checking that user does not have UID as defined in AD ==== | |||
# getent passwd testuser@AD.EXAMPLE.ORG | |||
The UID/GID returned should be different from those defined in AD as these come now | |||
from SID -> UID/GID resolution. | |||
testuser@ad.example.org:*:1218201156:1218201156:Test User:/home/testuser:/bin/sh | |||
|results= | |results= |
Latest revision as of 23:10, 24 July 2013
Description
Using POSIX attributes defined in AD in FreeIPA
Setup
Setup Active Directory instance
- Setup an Active Directory server (2008 R2 or above).
- We assume you are able to set up an Active Directory instance
Services for Identity Management for UNIX Components
- Install Services for Identity Management for UNIX Components.
- Please follow the following article: http://technet.microsoft.com/en-us/library/cc731178.aspx
- Installation steps depend on your version of Active Directory, byt generally are very simple and do no take more than 2 minutes to complete.
- Restart the Active Directory.
- Add a user with POSIX attributes defined to Active Directory:
- Start Active Directory Users and Computers tool.
- Select Users folder, open context menu and select New -> Group
- Create a new group with the name testgroup (keep default settings, that is Global scope and type security)
- Open the context menu for the group and select Properties.
- Select UNIX Attributes tab
- Choose NIS domain AD and fill in the GID (should not be lower than 10000).
- Select Users folder, open context menu and select New -> User.
- Fill in the First and last name, uset testuser as a logon name.
- Create a password for the user (uncheck the "User must change password on the next logon" checkbox). By the default complexity requirements, the password must use at least three character classes, i.e. Secret123.
- Open the context menu for the user and select Properties.
- Select UNIX Attributes tab
- Choose NIS domain AD and fill in the UID (should not be lower than 10000) and corresponding GID for testgroup.
Setup FreeIPA instance
- Please follow QA:Testcase_freeipa_trust_server_installation and consenquently QA:Testcase_freeipa_prepare_server_for_trusts in order to set up a FreeIPA instance for this test.
How to test
Configuration assumptions
Instructions below will assume following setup:
- There is an Active Directory domain, set up under name AD.EXAMPLE.ORG. Domain controller for AD.EXAMPLE.ORG server is dc.ad.example.org and has IP-address DC-AD-IPaddr.
- There is a FreeIPA realm, set up under name IPA.EXAMPLE.ORG. FreeIPA server for the realm IPA.EXAMPLE.ORG is srv.ipa.example.org and has IP-address DC-IPA-IPaddr.
FreeIPA realm will gain a short name used for NetBIOS communication, known as 'domain name' in SMB. Usually it is the same as leftmost component of the realm, i.e. IPA for IPA.EXAMPLE.ORG.
Adding a trust (letting FreeIPA detect the POSIX support)
First we need to check that there are no remnants of the previous trusts on the server.
# ipa idrange-find
There should be only the local range.
--------------- 1 range matched --------------- Range name: IPA.EXAMPLE.ORG_id_range First Posix ID of the range: 278400000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range ---------------------------- Number of entries returned 1 ----------------------------
# ipa trust-find
No trust should be configured.
---------------- 0 trusts matched ---------------- ---------------------------- Number of entries returned 0 ----------------------------
Make sure that the time with the AD is synchronized. Otherwise the AD KDC might not talk with FreeIPA since the clock skew might be too great.
# ntpdate dc.ad.example.org
Add the trust. This can take a while (up to 30 seconds) as the FreeIPA is querying AD DC for UNIX information by default.
Note that we do not need to specify any additional flags, FreeIPA detects whether the UNIX support on the AD is available or not.
# ipa trust-add --type=ad ad.example.org --admin Administrator --password
Active directory domain administrator's password: ------------------------------------------------------------------------ Added Active Directory trust for realm "ad.example.org" ------------------------------------------------------------------------ Realm name: ad.example.org Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified
Checking the properties of the range
# ipa idrange-find
You should see the trusted domain's range as well as the local domain range. The size of the range should be at least 200 000. The range should be of "Active Directory trust range with POSIX attributes" type.
---------------- 2 ranges matched ---------------- Range name: IPA.EXAMPLE.ORG_id_range First Posix ID of the range: 278400000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range Range name: AD.EXAMPLE.ORG_id_range First Posix ID of the range: 10000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726 Range type: Active Directory trust range with POSIX attributes ---------------------------- Number of entries returned 2 ----------------------------
Checking that user from AD has correct UID (as defined in AD)
# getent passwd testuser@AD.EXAMPLE.ORG
User should have the UID we defined in the AD. GID should belong to the testgroup.
testuser@ad.example.org:*:10000:10000:Test User:/home/testuser:/bin/sh
Check that with:
# getent group testgroup@AD.EXAMPLE.ORG
Adding a trust (forcing the SID-based approach)
Cleanup
First we delete the trust and the associated range.
# ipa trust-del ad.example.org ----------------------------------------------- Deleted trust "ad.example.org" ----------------------------------------------- # ipa idrange-del AD.EXAMPLE.ORG_id_range ----------------------------------------------------------- Deleted ID range "AD.EXAMPLE.ORG_id_range" -----------------------------------------------------------
We need to clear sssd cache, so that query for the testuser is not resolved from cache.
# systemctl stop sssd # rm -rf /var/lib/sss/db/* # systemctl start sssd
Adding the trust that does not use POSIX attributes
Now we add the trust, specifying the ipa-ad-local range type, which enforces SID to UID resolution, even if the UNIX support on the Active Directory is detected.
# ipa trust-add --type=ad ad.example.org --admin Administrator --password --range-type ipa-ad-trust
------------------------------------------------------------------------ Added Active Directory trust for realm "ad.example.org" ------------------------------------------------------------------------ Realm name: ad.example.org Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified
Checking the properties of the range
# ipa idrange-find
There should be only two ranges, the local and the trusted domain's one, which should have the "Active Directory domain range" type.
---------------- 2 ranges matched ---------------- Range name: IPA.EXAMPLE.ORG_id_range First Posix ID of the range: 877400000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range Range name: AD.EXAMPLE.ORG_id_range First Posix ID of the range: 1218200000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726 Range type: Active Directory domain range ---------------------------- Number of entries returned 2 ----------------------------
Checking that user does not have UID as defined in AD
# getent passwd testuser@AD.EXAMPLE.ORG
The UID/GID returned should be different from those defined in AD as these come now from SID -> UID/GID resolution.
testuser@ad.example.org:*:1218201156:1218201156:Test User:/home/testuser:/bin/sh
Expected Results
All the test steps should end with the specified results.