4:03 a.m.
Hi,
I wonder if there is a way to create an AD trust where users would maintain the
uidNumber/gidNumber that are stored in AD.
I read on an older question on the nakive forum that if the trust-add command finds users
with uidNumbers, so those would be used. I tried, but a random id-range is created every
time.
Is there a smart way to actually preserve those uidNumbers from AD?
Best,
Francis
4:12 a.m.
On pe, 08 huhti 2022, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
Hi,
I wonder if there is a way to create an AD trust where users would
maintain the uidNumber/gidNumber that are stored in AD.
Yes. It is all documented in RHEL IdM documentation.
I read on an older question on the nakive forum that if the trust-add
command finds users with uidNumbers, so those would be used. I tried,
but a random id-range is created every time.
Is there a smart way to actually preserve those uidNumbers from AD?
I guess, you did not specify the type of the range? If type of range is
not specified, we attempt to search on the forest root domain for signs
of use of SFU information in AD LDAP at
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,$BASEDN.
If you have user domain somewhere else in the forest and users are not
part of the forest root domain, then this check will not find POSIX
identities.
# ipa trust-add --help|grep range-type
--range-type=['ipa-ad-trust', 'ipa-ad-trust-posix']
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
4:23 a.m.
Again, thanks a lot Alexander! I will try this!
Best,
Francis
On 8 Apr 2022, at 11:12, Alexander Bokovoy
<abokovoy(a)redhat.com> wrote:
On pe, 08 huhti 2022, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
> Hi,
>
> I wonder if there is a way to create an AD trust where users would
> maintain the uidNumber/gidNumber that are stored in AD.
Yes. It is all documented in RHEL IdM documentation.
>
> I read on an older question on the nakive forum that if the trust-add
> command finds users with uidNumbers, so those would be used. I tried,
> but a random id-range is created every time.
>
> Is there a smart way to actually preserve those uidNumbers from AD?
I guess, you did not specify the type of the range? If type of range is
not specified, we attempt to search on the forest root domain for signs
of use of SFU information in AD LDAP at
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,$BASEDN.
If you have user domain somewhere else in the forest and users are not
part of the forest root domain, then this check will not find POSIX
identities.
# ipa trust-add --help|grep range-type
--range-type=['ipa-ad-trust', 'ipa-ad-trust-posix']
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
763
days inactive
763
days old
freeipa-users@lists.fedorahosted.org
2 comments
2 participants
participants (2)
-
Alexander Bokovoy -
Francis Augusto Medeiros-Logeay