[Freeipa-users] IPA 3.3.3 in transitive trust and random group assignment

Alexander Bokovoy abokovoy at redhat.com
Thu Oct 23 14:05:29 UTC 2014

On Thu, 23 Oct 2014, crony wrote:
>Hi List,
>On IPA server I added one external group for AD group.
>When I log in to IPA client I can see that group:
> but also I see few different groups came directly from Active Directory
>like 127310615(trustlinuxgroup at acme.example.com) or 127200513(domain
>users at acme.example.com):
>Afer clearing the cache, the group assignment looks different, few more or
>less groups showed by id command.
>Do you know the reason? I have no idea what to do with this.
Prior to SSSD 1.12 full group membership was only retrieved during
actual authentication step. With 1.12.2, I think, we have means to pick
up most of the groups before authentication as well, barring those that
are not valid outside of the domain or forest's use (domain local

/ Alexander Bokovoy

More information about the Freeipa-users mailing list