Considering or Ignoring POSIX Attributes

In a Windows AD schema it has been possible for some time to define POSIX attributes that can be enabled using the identity management for UNIX (IMU) – formerly known as Services for UNIX (SFU) – component. You can then enter the desired attributes in the properties of a Windows user (e.g., the UID and GID), as well as the desired home directory and other POSIX information.

FreeIPA recognizes this and would revert automatically to the attributes stored in the AD, instead of defining new attributes. When creating the trust, you can explicitly determine how FreeIPA should behave if POSIX attributes are already defined in the AD. Using

ipa trust-add --range-type=ipa-ad-trust-posix

you can determine what POSIX attributes stored in the AD should be used. However, the statement

ipa trust-add --range-type=ipa-ad-trust

says that these attributes are to be ignored and that SSSD should generate separate IDs instead..

Windows Groups and Security Rules

The FreeIPA framework uses group information for many security rules (e.g., sudo, SELinux, HBAC) to decide whether access for a specific user is allowed or not. However, because the framework isn't in the know about the Windows groups – after all, they're located externally and aren't stored on the FreeIPA systems – you need to use a little trick to be able to use them with the desired set of rules.

The trick consists of including all desired Windows groups in corresponding external (non-POSIX) groups; then, you can nest them in POSIX groups, which you can ultimately use in your set of rules. Listing 6 shows how you can nest all domain users from the Windows domain in a POSIX group via an external group from the FreeIPA server.

### You need to use a few tricks to be able to use Windows groups on the FreeIPA.
# ipa group-add --desc='COE users external map'coe_domain_users_external --external
---------------------------------------
Added group "coe_domain_users_external"
---------------------------------------
    Group name: coe_domain_users_external
    Description: COE users external map
# ipa group-add --desc='COE users'coe_domain_users
------------------------------
Added group "coe_domain_users"
------------------------------
    Group name: coe_domain_users
    Description: COE users
    GID: 1691800008
# ipa group-add-member coe_domain_users_external --external 'COE\Domain Users'
[member user]:
[member group]:
    Group name: coe_domain_users_external
    Description: COE users external map
    External member: S-1-5-21-2960236960-1249552018-43539955-513
-------------------------
Number of members added 1
-------------------------
# ipa group-add-member coe_domain_users --groups coe_domain_users_external
    Group name: coe_domain_users
    Description: COE users
    GID: 1691800008
    Member groups: coe_domain_users_external
-------------------------
Number of members added 1
-------------------------

You can use the coe_domain_users group from now on to implement host-based access control rules, for example, and just grant members of this group access to certain systems. You can, of course, apply this procedure to all Windows groups.

Conclusions

FreeIPA provides a comprehensive integration of Linux environments in existing Windows AD structures. Unlike direct integration of Linux clients, the framework provides a native interface and makes it easy to access the Active Directory.

Using this interface, Linux clients can benefit from the usual security mechanisms and don't have to use a trimmed-down range of functions if they are made available via an AD domain controller. Another advantage of this form of integration is that Windows admins keep control of their domains, and Linux admins can provide their clients the necessary data via the FreeIPA framework.