[Freeipa-users] AD users not visible in FreeIPA mapped group
Angelo Pantano
ghilteras at gmail.com
Wed Jul 15 20:09:42 UTC 2015
SSSD is able to evaluate group membership, but if for instance I create a
view for my user and I add a ssh public key I can only use it to login
passwordless in the IPA server, not on an IPA client. The password still
works, but I see nothing in the sssd logs that explains why the pubkey was
rejected on the IPA client. Could be that the client is not really aware
that there is a view override? I thought that the external mapping would
facilitate this..
On Mon, Jul 13, 2015 at 11:46 PM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:
> On Mon, 13 Jul 2015, Angelo Pantano wrote:
>
>> I have the same entry there, my question is that I don't understand why it
>> doesn't it give me any visibility of the AD users mapped in that group, I
>> mean I just see that entry, but what's that supposed to do? It doesn't
>> really change anything with or without, I am missing the supposed value of
>> having the AD users mapped in a FreeIPA posix group.
>>
>> I was expecting to see the AD users in that group, but I got nothing.. I'm
>> a bit confused
>>
> Read the documentation.
>
> Once you added AD user or group as external member of an external IPA
> group and then added this group as a member of IPA POSIX group, the user
> belonging to AD group would appear as a member of IPA POSIX group:
>
> # id administrator at adx.test
> uid=1878600500(administrator at adx.test)
> gid=1878600500(administrator at adx.test)
> groups=1878600500(administrator at adx.test),1878600520(group policy
> creator owners at adx.test),1878600519(enterprise
> admins at adx.test),1878600512(domain admins at adx.test),1878600518(schema
> admins at adx.test),1878600513(domain users at adx.test),1634400007(ad_admins)
>
> You wouldn't see this in the web UI because web UI is showing what is in
> the LDAP, not what is visible in the system when SSSD evaluates the
> group membership.
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150715/8e94dc24/attachment.htm>
More information about the Freeipa-users
mailing list