David,
What's the difference between the two options (ipa-ad-trust vs.
ipa-ad-trust-posix), other than the uid & gid mapping? Why would I choose 1 over the
other?
I can't speak for your environment or anyone else's for that matter,
but for us it was due to legacy concerns.
We have migrated between several identity management systems over the
years with consistent UID's and GID's. Given the size of our user
base, we went with the ipa-ad-trust-posix so that we wouldn't need to
perform a massive `chown` across several different storage systems, as
UID's and GID's are would be different between the trust types.
Just my 2¢
John DeSantis
Il giorno ven 7 mag 2021 alle ore 12:04 White, David via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> ha scritto:
>
> I'm going to piggy back on this thread, because it is very relevant to a question
I have.
>
What's the difference between the two options (ipa-ad-trust vs.
ipa-ad-trust-posix), other than the uid & gid mapping? Why would I choose 1 over the
other?
>
> I have always scratched my head a little bit why my AD users are able to login to our
FreeIPA (IdM) environment when they don't have the uidNumber attribute set in AD.
That's the case, although a Red Hat consultant who helped me setup our environment
over a year ago said that we needed to make sure we set the uidNumber attribute.
>
> My process in creating the groups within IdM have been to run the following 4
commands:
>
> ipa group-add --desc='AD groupName External Group' ad_groupName_external
--external ipa group-add --desc='AD groupName Internal-Posix' ad_groupName_posix
ipa group-add-member ad_groupName_posix --groups ad_groupName_external ipa
group-add-member ad_group_name_external --external 'corp-ad-domain.com\groupName'
# just hit enter the prompts for this last command.
>
> -David
>
> From: Florence Renaud via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Reply-To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> Date: Friday,
May 7, 2021 at 10:45 To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: iulian roman <iroman_2002(a)yahoo.com>, Florence Renaud <flo(a)redhat.com>
Subject: [Freeipa-users] Re: posix and non-posix AD users
>
> Hi,when a trust is established with posix range type, the users need to have
uidNumber and gidNumber set on AD side.If you want IdM to generate uid and gid, the range
type has to be ipa-ad-trust instead of ipa-ad-trust-posix but I believe the posix
attributes of the AD entries wo
>
> Hi,
>
> when a trust is established with posix range type, the users need to have uidNumber
and gidNumber set on AD side. If you want IdM to generate uid and gid, the range type has
to be ipa-ad-trust instead of ipa-ad-trust-posix but I believe the posix attributes of the
AD entries won't be taken into account in this case (even if the AD entry contains a
uidnumber/gidnumber, the one seen from IdM clients will be generated and is likely to
differ). flo
>
> On Fri, May 7, 2021 at 3:34 PM iulian roman via FreeIPA-users
<mailto:freeipa-users@lists.fedorahosted.org> wrote: I have configured a trust
between IdM and Active Directory with posix range type. The users which do have an
uidNumber in AD are correctly listed, but those without uidNumber are not (similar for the
groups). Is there any setting or possibility to have the AD users without uidNumber get an
uid generated automatically (if they do not have one in AD) by IPA and listed as AD users
in Linux ? _______________________________________________ FreeIPA-users mailing list --
mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
mailto:freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... Do not
reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure