Red Hat Security: Identity Management and Authentication

Bookmark this page
P1234567891011
PreviousNext

Guided Exercise: Managing AD User Integration with ID Views

Create an ID view to redefine the POSIX attributes for Active Directory users, and verify that the attribute mapping is successful.

Back to video
Play
00:00
Play
Seek 10 seconds backwards
Seek 10 seconds forward
00:10 / 07:58
Unmute
Settings
Fullscreen
Managing AD user integration with ID views

Outcomes

  • Create an ID view and override Active Directory user attributes.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available:

[student@workstation ~]$ lab start ad-managing

Instructions

  1. On the client machine, create the UID, GID, and home directory to map an Active Directory user. Create the adusers user group with 1111 as the ID. Create the aduser05 directory and configure it as the home directory for the members of the adusers group.

    1. Log in to the client machine as student and become the root user:

      [student@workstation ~]$ ssh client
[student@client ~]$ sudo -i
[sudo] password for student: student

    2. Create the adusers user group with 1111 as the ID:

      [root@client ~]# groupadd -g 1111 adusers

    3. Create the /home/aduser05 directory. Set 1111 as the user and group owner:

      [root@client ~]# mkdir /home/aduser05
[root@client ~]# chown 1111:1111 /home/aduser05

  2. On the idm machine, create the adview view. Set AD id view as the description of the view.

    1. Open a new terminal tab and log in to the idm machine as the student user. Authenticate to IdM as the admin user, with RedHat123^ as the password:

      [student@workstation ~]$ ssh idm
[student@idm ~]$ kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^

    2. Create the adview view in the IdM domain:

      [student@idm ~]$ ipa idview-add --desc="AD id view" adview
----------------------
Added ID View "adview"
----------------------
  ID View Name: adview
  Description: AD id view

  3. In the adview view, create a user attributes override view for the aduser05 Active Directory user.

    1. Create a view for the aduser05 user to override the attributes of that user stored in Active Directory. Override the standard attributes with the /bin/bash shell, 1111 UID, 1111 GID and /home/aduser05 home directory:

      [student@idm ~]$ ipa idoverrideuser-add --desc="Overrides for aduser05" \
  --shell=/bin/bash --homedir=/home/aduser05 \
  --uid=1111 --gidnumber=1111 adview aduser05@ad.example.com
------------------------------------------------
Added User ID override "aduser05@ad.example.com"
------------------------------------------------
  Anchor to override: aduser05@ad.example.com
  Description: Overrides for aduser05
  UID: 1111
  GID: 1111
  Home directory: /home/aduser05
  Login shell: /bin/bash

    2. Apply the adview view to the client machine:

      [student@idm ~]$ ipa idview-apply --hosts=client.lab.example.com adview
------------------------
Applied ID View "adview"
------------------------
  hosts: client.lab.example.com
---------------------------------------------
Number of hosts the ID View was applied to: 1
---------------------------------------------

  4. Ensure that the new configuration is active in the client machine. Test the configuration by logging in to the client machine as the aduser05 Active Directory user.

    1. Switch to the first terminal tab and clear the SSSD cache. Restart the SSSD service:

      [root@client ~]# sss_cache -E
[root@client ~]# systemctl restart sssd

    2. Exit the client machine:

      [root@client ~]# exit
logout
[student@client ~]$ exit
logout
Connection to client closed.

    3. Log in to the client machine as the aduser05 Active Directory user:

      [student@workstation ~]$ ssh aduser05@ad.example.com@client.lab.example.com
Password for aduser05@ad.example.com: RedHat_2022
[aduser05@ad.example.com@client ~]$

    4. Verify the new GID and home directory attributes of the aduser05 user.

      Important

      If the user does not show the expected attributes or you fail to log in, then try clearing the SSSD cache and restarting the service on the client machine again.

      [aduser05@ad.example.com@client ~]$ id
uid=1111(aduser05@ad.example.com) gid=1111(adusers) groups=1111(adusers),622800513(domain users@ad.example.com) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[aduser05@ad.example.com@client ~]$ pwd
/home/aduser05

    5. Exit from the client machine:

      [aduser05@ad.example.com@client ~]$ exit
logout
Connection to client.lab.example.com closed.

  5. On the idm machine, update the IdM configuration to use short names to resolve and authenticate to the Active Directory domain. On the client machine, clear the SSSD cache and log in as the aduser05 user without defining the domain.

    1. Switch to the second tab and set the domain resolution order to all the clients in the trust:

      [student@idm ~]$ ipa config-mod \
  --domain-resolution-order='lab.example.com:ad.example.com'
...output omitted...
  Domain resolution order: lab.example.com:ad.example.com
  IPA DNS servers: idm.lab.example.com, replica1.lab.example.com, replica2.lab.example.com

    2. On the client machine, clear the SSSD cache and restart the SSSD service:

      [student@workstation ~]$ ssh client
[student@client ~]$ sudo -i
[sudo] password for student: student
[root@client ~]# sss_cache -E
[root@client ~]# systemctl restart sssd

    3. Exit from the client machine:

      [root@client ~]# exit
logout
[student@client ~]$ exit
logout
Connection to client closed.

    4. Verify that the new configuration is working as expected. Log in to the client machine as the aduser05 user without specifying the @ad.example.com domain name:

      [student@workstation ~]$ ssh aduser05@client.lab.example.com
Password for aduser05@ad.example.com: RedHat_2022
[aduser05@ad.example.com@client ~]$

    5. Verify that the aduser05 user authenticated from the ad.example.com domain:

      [aduser05@ad.example.com@client ~]$ id
uid=1111(aduser05@ad.example.com) gid=1111(adusers) groups=1111(adusers),622800513(domain users@ad.example.com) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[aduser05@ad.example.com@client ~]$ hostname
client.lab.example.com

    6. Exit from the client machine:

      [aduser05@ad.example.com@client ~]$ exit
logout
Connection to client.lab.example.com closed.

  6. On the idm machine, remove the trust relationship between IdM and Active Directory.

    1. Switch to the second terminal tab and review the existing trust:

      [student@idm ~]$ ipa trustdomain-find ad.example.com
  Domain name: ad.example.com
  Domain NetBIOS name: AD
  Domain Security Identifier: S-1-5-21-1851492132-63302129-2341221329
  Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------

    2. Remove the trust:

      [student@idm ~]$ ipa trust-del ad.example.com
------------------------------
Deleted trust "ad.example.com"
------------------------------

    3. Remove the forward zone for the Active Directory domain:

      [student@idm ~]$ ipa dnsforwardzone-find
  Zone name: ad.example.com.
  Active zone: True
  Zone forwarders: 172.25.250.221
  Forward policy: only
----------------------------
Number of entries returned 1
----------------------------
[student@idm ~]$ ipa dnsforwardzone-del ad.example.com
------------------------------------------
Deleted DNS forward zone "ad.example.com."
------------------------------------------

    4. Exit from the idm machine and close the tab:

      [student@idm ~]$ exit
logout
Connection to idm closed.
[student@workstation ~]$ exit

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish ad-managing

PreviousNext
Revision: rh362-9.1-4c6fdb8