ID Mapping ofActive Directory users with

Sumit BoseRed Hat

sbose@redhat.com

is a client for FreeIPA

DNSNTP

Integrated Solution

=

Identity

Who you are

VT100 anyone ?$ ipa user-find admin--------------1 user matched-------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash UID: 747400000 GID: 747400000 Account disabled: False Password: True Kerberos keys available: True----------------------------Number of entries returned 1----------------------------

Policy

What you are allowed to do

Audit

What you have done

PAM

NSS sudoSELinux

automountssh

InfoPipe

IPA Server

PAM

NSS sudoSELinux

automountssh

InfoPipe

IPA ServerOther ServerIPA, LDAP, AD

PAMNSS sudo

SELinux

automountssh

InfoPipe

IPA Server

app1

app2 app3

app4

Tomorrow

ActiveDirectory

Forest Trust

Tomorrow

ID-Mapping

SIDs POSIX IDs

1028 : 1

128bits 32bits

SID POSIX ID

Algorithmic Mapping

posixAccount

Manual MappingManaged in AD

FreeIPA CIFS-ClientAD DC

File-Server

IPA Server

IPA Client

cifs-utils

Kernel-

User-Space

cifs.idmapidmapwb.socifs_idmap_sss.so

FreeIPA CIFS-ServerAD DC

AD Client

IPA Server

IPA Client

smbd wbinfo

libwbclient.so.0

winbindd

Samba File-Server

smbd wbinfo

libwbclient.so.0

Samba File-ServerOn a FreeIPA Client

libwbclient-sssd.so.0

Tomorrow

libwbclient-sssdcommon ID/SID lookup

authenticationutilities

libwbclient-sssdLimitations

Trust MgmtNTLMWINS ID alloc

pam_winbind.solibnss_winbind.so

pam_sss.solibnss_sss.so socket

socket winbindd

Next Plans

pam_socket.solibnss_socket.so socket

winbindd

Unified PAM/nss Client

Thank you :-)

Any questions please?