[Freeipa-users] Mapping users from AD to IPA KDC
Sumit Bose
sbose at redhat.com
Fri Dec 2 13:43:04 UTC 2016
On Fri, Dec 02, 2016 at 08:30:28AM -0500, TomK wrote:
> Hey All,
>
> I've successfully mapped the nixadmins to the external group
> nixadmins_external. However no users in that group make it over to Free IPA
> that I can see.
>
> ipa group-add-member nixadmins_external --external "nixadmins"
>
> Windows AD users, 3 of them, are in the windows AD group nixadmins. However
> I can't port them over.
>
> These accounts have UNIX attributes assigned to them.
>
> Question that I have and can't find, should I be seeing these users in the
> mapped groups above? ( ie within the GUI should I see any users listed from
> AD DC in nixadmins or nixadmins_external? )
no, the GUI won't show them. Calling 'id user_from_nixadmins at ad.domain'
should show that nixadmins_external is a member of that group. With
recent version of SSSD 'getent group nixadmins_external' should list the
users from nixadmins as well, older versions might miss them.
HTH
bye,
Sumit
>
> If there is an issue and I'm just not picking it out from the debug logs,
> what to look for? Is there anything more I need to do on the Windows side
> that I haven't found on the existing pages?
>
>
> # ipa group-add-member nixadmins_external --external "nixadmins"
> [member user]:
> [member group]:
> Group name: nixadmins_external
> Description: NIX Admins External map
> External member: S-1-5-21-3418825849-1633701630-2291579631-1006
> Member groups: nixadmins
> Member of groups: nixadmins
> Indirect Member groups: nixadmins_external
> -------------------------
> Number of members added 1
> -------------------------
> #
>
>
> # ipa trustdomain-find abc.xyz
> Domain name: abc.xyz
> Domain NetBIOS name: ABC
> Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
> Domain enabled: True
> ----------------------------
> Number of entries returned 1
> ----------------------------
> #
>
>
> [realms]
> DOM.ABC.XYZ = {
> .
> .
> .
> auth_to_local = RULE:[1:$1@$0](^.*@ABC.XYZ$)s/@ABC.XYZ/@abc.xyz/
> auth_to_local = DEFAULT
> }
>
>
> # ipa trust-fetch-domains abc.xyz
> ----------------------------------------------------------------------------------------
> List of trust domains successfully refreshed. Use trustdomain-find command
> to list them.
> ----------------------------------------------------------------------------------------
> ----------------------------
> Number of entries returned 0
> ----------------------------
> [root at idmipa01 sssd]# ipa trustdomain-find abc.xyz
> Domain name: abc.xyz
> Domain NetBIOS name: ABC
> Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
> Domain enabled: True
> ----------------------------
> Number of entries returned 1
> ----------------------------
>
>
> # ipa trust-fetch-domains abc.xyz
> ----------------------------------------------------------------------------------------
> List of trust domains successfully refreshed. Use trustdomain-find command
> to list them.
> ----------------------------------------------------------------------------------------
> ----------------------------
> Number of entries returned 0
> ----------------------------
> #
>
>
> The following command successfully returns all AD objects under the Users
> cn.
>
> # ldapsearch -x -h 192.168.0.3 -D "tom at abc.xyz" -W -b
> "cn=users,dc=abc,dc=xyz" -s sub "(cn=*)" cn mail sn
>
>
> --
> Cheers,
> Tom K.
> -------------------------------------------------------------------------------------
>
> Living on earth is expensive, but it includes a free trip around the sun.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list