I have managed to login to an IPA client with a non-existing user.
My AD user is z123456@addomain.mydomain.at and I have created a similar user called i123456@ipadomain.mydomain.at. What happened now is that I could log in with the i-User and what I get to see after logging in is this:
[i123456@addomain.mydomain.at@as12314 ~]$ id uid=1246600007(i123456@addomain.mydomain.at) gid=1246600007(i123456@addomain.mydomain.at) groups=1246600007(i123456@addomain.mydomain.at),1246600016(my-ad-group@ipadomain.mydomain.at) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [i123456@addomain.mydomain.at@as12314 ~]$ whoami i123456@addomain.mydomain.at
The user i123456@addomain.mydomain.at does NOT exist.
addomain is set as default domain in the client's sssd.conf.
What is wrong here? Are things just displayed wrong or could it be more?
Which files do you need in order to analyze this issue?
Cheers, Ronald
On Tue, Apr 16, 2019 at 09:06:44AM +0200, Ronald Wimmer via FreeIPA-users wrote:
I have managed to login to an IPA client with a non-existing user.
My AD user is z123456@addomain.mydomain.at and I have created a similar user called i123456@ipadomain.mydomain.at. What happened now is that I could log in with the i-User and what I get to see after logging in is this:
[i123456@addomain.mydomain.at@as12314 ~]$ id uid=1246600007(i123456@addomain.mydomain.at) gid=1246600007(i123456@addomain.mydomain.at) groups=1246600007(i123456@addomain.mydomain.at),1246600016(my-ad-group@ipadomain.mydomain.at) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [i123456@addomain.mydomain.at@as12314 ~]$ whoami i123456@addomain.mydomain.at
The user i123456@addomain.mydomain.at does NOT exist.
addomain is set as default domain in the client's sssd.conf.
Does this change if you remove the default_domain_suffix option from the client? Is this option set on the server as well? What is currently displayed for the user on the server?
In general default_domain_suffix should not be used anymore, better is to define a domain lookup order on the IPA server.
What is wrong here? Are things just displayed wrong or could it be more?
Are the numeric UIDs and GIDs the expected ones?
Which files do you need in order to analyze this issue?
It would be good to see the full LDAP objects of the AD user and the IPA user and sssd.conf from the IPA server and the client. This might already give some idea but chances are we need the full logs as well.
bye, Sumit
Cheers, Ronald _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 16.04.19 10:50, Sumit Bose via FreeIPA-users wrote:
On Tue, Apr 16, 2019 at 09:06:44AM +0200, Ronald Wimmer via FreeIPA-users wrote:
I have managed to login to an IPA client with a non-existing user.
My AD user is z123456@addomain.mydomain.at and I have created a similar user called i123456@ipadomain.mydomain.at. What happened now is that I could log in with the i-User and what I get to see after logging in is this:
[i123456@addomain.mydomain.at@as12314 ~]$ id uid=1246600007(i123456@addomain.mydomain.at) gid=1246600007(i123456@addomain.mydomain.at) groups=1246600007(i123456@addomain.mydomain.at),1246600016(my-ad-group@ipadomain.mydomain.at) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [i123456@addomain.mydomain.at@as12314 ~]$ whoami i123456@addomain.mydomain.at
The user i123456@addomain.mydomain.at does NOT exist.
addomain is set as default domain in the client's sssd.conf.
Does this change if you remove the default_domain_suffix option from the client? Is this option set on the server as well? What is currently displayed for the user on the server?
In general default_domain_suffix should not be used anymore, better is to define a domain lookup order on the IPA server.
I could not reproduce it anymore. UID and GID of the user were correct. Maybe I used the POSIX group I mapped to an AD group in an incorrect way. The group had the actual AD group as an external member and I also added the IPA user (i123456) to this exact POSIX group. I bet that it is not recommended to do that?
Where should the domain lookup order on the IPA servers be specified?
Cheers, Ronald
On Tue, Apr 16, 2019 at 11:12:18AM +0200, Ronald Wimmer via FreeIPA-users wrote:
On 16.04.19 10:50, Sumit Bose via FreeIPA-users wrote:
On Tue, Apr 16, 2019 at 09:06:44AM +0200, Ronald Wimmer via FreeIPA-users wrote:
I have managed to login to an IPA client with a non-existing user.
My AD user is z123456@addomain.mydomain.at and I have created a similar user called i123456@ipadomain.mydomain.at. What happened now is that I could log in with the i-User and what I get to see after logging in is this:
[i123456@addomain.mydomain.at@as12314 ~]$ id uid=1246600007(i123456@addomain.mydomain.at) gid=1246600007(i123456@addomain.mydomain.at) groups=1246600007(i123456@addomain.mydomain.at),1246600016(my-ad-group@ipadomain.mydomain.at) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [i123456@addomain.mydomain.at@as12314 ~]$ whoami i123456@addomain.mydomain.at
The user i123456@addomain.mydomain.at does NOT exist.
addomain is set as default domain in the client's sssd.conf.
Does this change if you remove the default_domain_suffix option from the client? Is this option set on the server as well? What is currently displayed for the user on the server?
In general default_domain_suffix should not be used anymore, better is to define a domain lookup order on the IPA server.
I could not reproduce it anymore. UID and GID of the user were correct. Maybe I used the POSIX group I mapped to an AD group in an incorrect way. The group had the actual AD group as an external member and I also added the IPA user (i123456) to this exact POSIX group. I bet that it is not recommended to do that?
Do you mean this group is a POSIX group and an external group at the same time? I think this is not recommended(supported?). Please add the AD users and groups to external groups and then add the external groups to POSIX groups. Nevertheless I think this is not the reason for the wrong names you have seen.
Where should the domain lookup order on the IPA servers be specified?
ipa config-mod --domain-resolution-order=......
bye, Sumit
Cheers, Ronald _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 16.04.19 11:29, Sumit Bose via FreeIPA-users wrote:
On Tue, Apr 16, 2019 at 11:12:18AM +0200, Ronald Wimmer via FreeIPA-users wrote:
On 16.04.19 10:50, Sumit Bose via FreeIPA-users wrote:
On Tue, Apr 16, 2019 at 09:06:44AM +0200, Ronald Wimmer via FreeIPA-users wrote:
I have managed to login to an IPA client with a non-existing user.
My AD user is z123456@addomain.mydomain.at and I have created a similar user called i123456@ipadomain.mydomain.at. What happened now is that I could log in with the i-User and what I get to see after logging in is this:
[i123456@addomain.mydomain.at@as12314 ~]$ id uid=1246600007(i123456@addomain.mydomain.at) gid=1246600007(i123456@addomain.mydomain.at) groups=1246600007(i123456@addomain.mydomain.at),1246600016(my-ad-group@ipadomain.mydomain.at) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [i123456@addomain.mydomain.at@as12314 ~]$ whoami i123456@addomain.mydomain.at
The user i123456@addomain.mydomain.at does NOT exist.
addomain is set as default domain in the client's sssd.conf.
Does this change if you remove the default_domain_suffix option from the client? Is this option set on the server as well? What is currently displayed for the user on the server?
In general default_domain_suffix should not be used anymore, better is to define a domain lookup order on the IPA server.
I could not reproduce it anymore. UID and GID of the user were correct. Maybe I used the POSIX group I mapped to an AD group in an incorrect way. The group had the actual AD group as an external member and I also added the IPA user (i123456) to this exact POSIX group. I bet that it is not recommended to do that?
Do you mean this group is a POSIX group and an external group at the same time? I think this is not recommended(supported?). Please add the AD users and groups to external groups and then add the external groups to POSIX groups. Nevertheless I think this is not the reason for the wrong names you have seen.
No. As the documentation advises I've created an external group that contains the AD group. After that, I created an IPA (POSIX) group that has the external group as a member. Additionally, I added an IPA user to that POSIX group. (Doing that I am mixing AD and IPA users in a group. Is it ok to do that?)
Cheers, Ronald
On Tue, Apr 16, 2019 at 11:56:32AM +0200, Ronald Wimmer via FreeIPA-users wrote:
On 16.04.19 11:29, Sumit Bose via FreeIPA-users wrote:
On Tue, Apr 16, 2019 at 11:12:18AM +0200, Ronald Wimmer via FreeIPA-users wrote:
On 16.04.19 10:50, Sumit Bose via FreeIPA-users wrote:
On Tue, Apr 16, 2019 at 09:06:44AM +0200, Ronald Wimmer via FreeIPA-users wrote:
I have managed to login to an IPA client with a non-existing user.
My AD user is z123456@addomain.mydomain.at and I have created a similar user called i123456@ipadomain.mydomain.at. What happened now is that I could log in with the i-User and what I get to see after logging in is this:
[i123456@addomain.mydomain.at@as12314 ~]$ id uid=1246600007(i123456@addomain.mydomain.at) gid=1246600007(i123456@addomain.mydomain.at) groups=1246600007(i123456@addomain.mydomain.at),1246600016(my-ad-group@ipadomain.mydomain.at) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [i123456@addomain.mydomain.at@as12314 ~]$ whoami i123456@addomain.mydomain.at
The user i123456@addomain.mydomain.at does NOT exist.
addomain is set as default domain in the client's sssd.conf.
Does this change if you remove the default_domain_suffix option from the client? Is this option set on the server as well? What is currently displayed for the user on the server?
In general default_domain_suffix should not be used anymore, better is to define a domain lookup order on the IPA server.
I could not reproduce it anymore. UID and GID of the user were correct. Maybe I used the POSIX group I mapped to an AD group in an incorrect way. The group had the actual AD group as an external member and I also added the IPA user (i123456) to this exact POSIX group. I bet that it is not recommended to do that?
Do you mean this group is a POSIX group and an external group at the same time? I think this is not recommended(supported?). Please add the AD users and groups to external groups and then add the external groups to POSIX groups. Nevertheless I think this is not the reason for the wrong names you have seen.
No. As the documentation advises I've created an external group that contains the AD group. After that, I created an IPA (POSIX) group that has the external group as a member. Additionally, I added an IPA user to that POSIX group. (Doing that I am mixing AD and IPA users in a group. Is it ok to do that?)
Yes, since you are not "mixing AD and IPA users in a group" but IPA users and IPA external groups.
bye, Sumit
Cheers, Ronald _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Sorry for asking. I might have missed to read that part of the official documentation:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
On Mon, Sep 02, 2019 at 02:37:47PM +0200, Ronald Wimmer via FreeIPA-users wrote:
Sorry for asking. I might have missed to read that part of the official documentation:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
Yes, the domain you prefer most should come first. Domains not listed here will be added afterwards in a random order.
bye, Sumit
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Configured it on the ipa server side and it works like a charm!
What I am still missing is setting the default shell on the server side as well. I still have to use the default_shell entry in the nss section of sssd.conf to set the shell to /bin/bash for AD users.
Cheers, Ronald
freeipa-users@lists.fedorahosted.org