[Freeipa-users] FreeIPA 4.1.4 and Windows Groups
Alexander Bokovoy
abokovoy at redhat.com
Mon Apr 27 19:38:53 UTC 2015
On Mon, 27 Apr 2015, Zach McNeilly wrote:
>Hi all,
>
>First I'd like to say thank you for the fantastic product. We've been
>using FreeIPA since v 1 and it's been fantastic.
>
>Recently we've hit a slight snag, however. We used this document
>(https://www.freeipa.org/page/Windows_authentication_against_FreeIPA)
>to setup Windows to use FreeIPA for it's back end authentication. This
>works really well and we are really happy with it.
You know that it is not a supported configuration, right?
>To integrate a CIFS server with FreeIPA we ran 'ipa-adtrust-install'
>on our FreeIPA servers, this added several attributes to every user as
>expected. However, now when users try to log on to a Windows machine
>with their FreeIPA credentials they can log on but they are no longer
>in any Windows groups (Administrators or Remote Desktop Users in this
>case). This was working before running ipa-adtrust-install.
>
>If you remove the following attributes from the user Windows works
>again but samba no longer does:
>
>objectclass=ipantuserattrs
>ipantsecurityidentifier=<SID>
>
>I've been banging my head against the wall on this for a while, and
>can't seem to get everything to mesh. Can anyone make any
>recommendations?
I don't think we can do anything here. Windows takes list of SIDs from
Kerberos ticket's MS-PAC which is filled by IPA KDC. The format of
MS-PAC includes group list in form of RIDs, i.e. relative identifiers,
relative to the domain SID.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list