Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-23355

IDM + AD + Cross Forest configuration

XMLWordPrintable

    • Sat_docs_11_2024, Sat_docs_12_2024
    • Important
    • No

      Document URL:
      https://access.redhat.com/documentation/en-us/red_hat_satellite/6.14/html-single/installing_satellite_server_in_a_connected_network_environment/index#Configuring_the_FreeIPA_Server_to_use_Cross_Forest_Trust_satellite

      Section Number and Name:
      5.3.6. Configuring the Red Hat Identity Management Server to Use Cross-Forest Trust

      Describe the issue:
      The customer can proceed with the steps mentioned. However, the login on Satellite will not work properly when trying to authenticate using one AD account. It will only work for IDM users.

      Suggestions for improvement:

      From (current conf)

      [nss]
      user_attributes=+mail, +sn, +givenname
      [domain/EXAMPLE.com]
      ...
      krb5_store_password_if_offline = True
      ldap_user_extra_attrs=email:mail, lastname:sn, firstname:givenname

      [ifp]
      allowed_uids = ipaapi, root
      user_attributes=+email, +firstname, +lastname

      To

      [domain/EXAMPLE.com]
      ...
      krb5_store_password_if_offline = True
      ldap_user_extra_attrs=email:mail, lastname:sn, firstname:givenname

      [nss]
      user_attributes=+email, +firstname, +lastname

      [ifp]
      allowed_uids = ipaapi, root
      user_attributes=+email, +firstname, +lastname

      Note. Above, only the NSS section was updated.

      Also, reinforce that this configuration should be applied only on the IDM server(s), this will not be necessary on Satellite server itself.

      One additional enhancement in the same section is, that there is one example of how to verify, using the DBUS command. It's valid to add another note mentioning that this command should be executed on IDM and Satellite Server, and the output should be the same on both, below you can see an example:

      1. dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:user1@adwmp.test array:string:email,firstname,lastname
        method return time=1708114064.187163 sender=:1.330 -> destination=:1.334 serial=8 reply_serial=2
        array [
        dict entry(
        string "email"
        variant array [
        string "user1@local.biz"
        ]
        )
        dict entry(
        string "firstname"
        variant array [
        string "First Name User1"
        ]
        )
        dict entry(
        string "lastname"
        variant array [
        string "Last Name User1"
        ]
        )
        ]

      Additional information:

      I'm not sure if you believe it to be valid, but, assuming the customer apply the change above, eventually, this will not be replicated in that moment, causing some sort of confusion, in order to guarantee this change is in effect, we can provide the step below

      systemctl stop sssd ; rm -rf /var/lib/sss/

      {db,mc}

      /* ; systemctl start sssd

      This will guarantee that there is no cache, and that the latest information will be available on idm and client (on this case, satellite server)

              apetrova@redhat.com Aneta Šteflová Petrová
              rhn-support-wpinheir Waldirio Pinheiro
              RH Bugzilla Integration RH Bugzilla Integration
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: