[Freeipa-users] Problems with users from AD trusted domain after update to IPA 4.1

[Alexander Frolushkin]

Hello.
Not sure it happened after update, but now we are on 4.1 and on some servers we have only AD groups if it is primary for user, and have no IPA groups with AD external group in members.
Fro example, on the IPA server we have
# id afrolushkin at ad.com
uid=236658172(afrolushkin at ad.com) gid=236658172(afrolushkin at ad.com) groups=236658172(afrolushkin at ad.com),236658193(sib-dwh-sa-admins at ad.com),810800020(sib-dwh-sa-admins),236667642(rhidm-sa-admins at ad.com)<mailto:afrolushkin at ad.com),236658193(sib-dwh-sa-admins at ad.com),810800020(sib-dwh-sa-admins),236667642(rhidm-sa-admins at ad.com)>
here group 236658193(sib-dwh-sa-admins at ad.com<mailto:sib-dwh-sa-admins at ad.com>) have a IPA group 810800020(sib-dwh-sa-admins), and it is not primary for user.
Group, primary for this user - 236667642(rhidm-sa-admins at ad.com<mailto:rhidm-sa-admins at ad.com>) also have IPA group, but it is not displayed in id command.
On some other servers (IPA clients) it displays ONLY AD groups:
# id afrolushkin at megafon.ru
uid=236658172(afrolushkin at ad.com) gid=236658172(afrolushkin at ad.com) groups=236658172(afrolushkin at ad.com),236667642(rhidm-sa-admins at ad.com),236658193(sib-dwh-sa-admins at ad.com)<mailto:afrolushkin at ad.com),236667642(rhidm-sa-admins at ad.com),236658193(sib-dwh-sa-admins at ad.com)>

This is a big problem for us, because on that servers we cannot use HBAC & sudo, also we don't think primary AD group is a exception and cannot be used in IPA authorization.



WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764


________________________________

?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????.

The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof.

(c)20mf50
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150422/c348c3f4/attachment.htm>