[Freeipa-users] Mapping users from AD to IPA KDC

TomK tk at mdevsys.com
Fri Dec 2 13:30:28 UTC 2016 

Hey All,

I've successfully mapped the nixadmins to the external group 
nixadmins_external.  However no users in that group make it over to Free 
IPA that I can see.

ipa group-add-member nixadmins_external --external "nixadmins"

Windows AD users, 3 of them, are in the windows AD group nixadmins. 
However I can't port them over.

These accounts have UNIX attributes assigned to them.

Question that I have and can't find, should I be seeing these users in 
the mapped groups above?  ( ie within the GUI should I see any users 
listed from AD DC in nixadmins or nixadmins_external? )

If there is an issue and I'm just not picking it out from the debug 
logs, what to look for?  Is there anything more I need to do on the 
Windows side that I haven't found on the existing pages?


# ipa group-add-member nixadmins_external --external "nixadmins"
[member user]:
[member group]:
   Group name: nixadmins_external
   Description: NIX Admins External map
   External member: S-1-5-21-3418825849-1633701630-2291579631-1006
   Member groups: nixadmins
   Member of groups: nixadmins
   Indirect Member groups: nixadmins_external
-------------------------
Number of members added 1
-------------------------
#


# ipa trustdomain-find abc.xyz
   Domain name: abc.xyz
   Domain NetBIOS name: ABC
   Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
   Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------
#


[realms]
  DOM.ABC.XYZ = {
.
.
.
   auth_to_local = RULE:[1:$1@$0](^.*@ABC.XYZ$)s/@ABC.XYZ/@abc.xyz/
   auth_to_local = DEFAULT
}


# ipa trust-fetch-domains abc.xyz
----------------------------------------------------------------------------------------
List of trust domains successfully refreshed. Use trustdomain-find 
command to list them.
----------------------------------------------------------------------------------------
----------------------------
Number of entries returned 0
----------------------------
[root at idmipa01 sssd]# ipa trustdomain-find abc.xyz
   Domain name: abc.xyz
   Domain NetBIOS name: ABC
   Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
   Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------


# ipa trust-fetch-domains abc.xyz
----------------------------------------------------------------------------------------
List of trust domains successfully refreshed. Use trustdomain-find 
command to list them.
----------------------------------------------------------------------------------------
----------------------------
Number of entries returned 0
----------------------------
#


The following command successfully returns all AD objects under the 
Users cn.

# ldapsearch -x -h 192.168.0.3 -D "tom at abc.xyz" -W -b 
"cn=users,dc=abc,dc=xyz" -s sub "(cn=*)" cn mail sn


-- 
Cheers,
Tom K.
-------------------------------------------------------------------------------------

Living on earth is expensive, but it includes a free trip around the sun.

More information about the Freeipa-users mailing list