[Freeipa-users] IPA 3.3.3 in transitive trust and random group assignment

Alexander Bokovoy abokovoy at redhat.com
Thu Oct 23 14:05:29 UTC 2014


On Thu, 23 Oct 2014, crony wrote:
>Hi List,
>On IPA server I added one external group for AD group.
>
>When I log in to IPA client I can see that group:
>
>976800007(trustlinuxgroup_from_ad2posix)
>
> but also I see few different groups came directly from Active Directory
>like 127310615(trustlinuxgroup at acme.example.com) or 127200513(domain
>users at acme.example.com):
>
>Afer clearing the cache, the group assignment looks different, few more or
>less groups showed by id command.
>
>Do you know the reason? I have no idea what to do with this.
Prior to SSSD 1.12 full group membership was only retrieved during
actual authentication step. With 1.12.2, I think, we have means to pick
up most of the groups before authentication as well, barring those that
are not valid outside of the domain or forest's use (domain local
groups).

-- 
/ Alexander Bokovoy




More information about the Freeipa-users mailing list