[Freeipa-users] FreeIPA 3.0, OSX 10.7 and 10.8, and secondary groups

Scott Allen sallen at theembassyvfx.com
Thu Oct 9 21:27:53 UTC 2014

I have managed to get most of the functionality working with OSX and
FreeIPA. What I cannot seem to get is the secondary groups working.

Posix security is working for primary groups but the security for people
with a secondary group doesn't work.

I can see in the Directory Utility on OSX that each user has it's own group
created and the secondary groups are in there. As well, I have a mapping
that connected groupMember to memberUid which I have read is the correct
way to do this.

Here is what I get when I go 'dscl -read` on OSX 10.8 asking about the
production group.
dscl -read /LDAPv3/192.168.x.x/Groups/production
 producers and budget access for documents
dsAttrTypeNative:ipaUniqueID: db1a2b38-4440-11e4-a2aa-00304881a4bc
dsAttrTypeNative:objectClass: top groupofnames nestedgroup ipausergroup
ipaobject posixgroup
AppleMetaNodeLocation: /LDAPv3/
AppleMetaRecordName: cn=production,cn=groups,cn=accounts,dc=embassy,dc=vfx
PrimaryGroupID: 55400020
RecordName: production
RecordType: dsRecTypeStandard:Groups

However, when I type `groups` on the Mac, production isn't there and if I
`id` one of the members of the group, they do not show the secondary group.

So I guess I am wondering how do I get OSX access control to use the ALL
the info that it already sees from FreeIPA?

Scott A

Scott Allen
Head of IT
The Embassy Visual Effects Inc.
4th Floor - 177 W 7th Avenue
Vancouver, B.C.
V5Y 1L8
604.696.6862 ext 239
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141009/4878a988/attachment.htm>

More information about the Freeipa-users mailing list