[Freeipa-users] Mapping users from AD to IPA KDC

TomK tk at mdevsys.com
Sat Dec 3 05:33:43 UTC 2016 

On 12/2/2016 8:43 AM, Sumit Bose wrote:
> On Fri, Dec 02, 2016 at 08:30:28AM -0500, TomK wrote:
>> Hey All,
>>
>> I've successfully mapped the nixadmins to the external group
>> nixadmins_external.  However no users in that group make it over to Free IPA
>> that I can see.
>>
>> ipa group-add-member nixadmins_external --external "nixadmins"
>>
>> Windows AD users, 3 of them, are in the windows AD group nixadmins. However
>> I can't port them over.
>>
>> These accounts have UNIX attributes assigned to them.
>>
>> Question that I have and can't find, should I be seeing these users in the
>> mapped groups above?  ( ie within the GUI should I see any users listed from
>> AD DC in nixadmins or nixadmins_external? )
>
> no, the GUI won't show them. Calling 'id user_from_nixadmins at ad.domain'
> should show that nixadmins_external is a member of that group. With
> recent version of SSSD 'getent group nixadmins_external' should list the
> users from nixadmins as well, older versions might miss them.
>
> HTH
>
> bye,
> Sumit
>
>>
>> If there is an issue and I'm just not picking it out from the debug logs,
>> what to look for?  Is there anything more I need to do on the Windows side
>> that I haven't found on the existing pages?
>>
>>
>> # ipa group-add-member nixadmins_external --external "nixadmins"
>> [member user]:
>> [member group]:
>>   Group name: nixadmins_external
>>   Description: NIX Admins External map
>>   External member: S-1-5-21-3418825849-1633701630-2291579631-1006
>>   Member groups: nixadmins
>>   Member of groups: nixadmins
>>   Indirect Member groups: nixadmins_external
>> -------------------------
>> Number of members added 1
>> -------------------------
>> #
>>
>>
>> # ipa trustdomain-find abc.xyz
>>   Domain name: abc.xyz
>>   Domain NetBIOS name: ABC
>>   Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
>>   Domain enabled: True
>> ----------------------------
>> Number of entries returned 1
>> ----------------------------
>> #
>>
>>
>> [realms]
>>  DOM.ABC.XYZ = {
>> .
>> .
>> .
>>   auth_to_local = RULE:[1:$1@$0](^.*@ABC.XYZ$)s/@ABC.XYZ/@abc.xyz/
>>   auth_to_local = DEFAULT
>> }
>>
>>
>> # ipa trust-fetch-domains abc.xyz
>> ----------------------------------------------------------------------------------------
>> List of trust domains successfully refreshed. Use trustdomain-find command
>> to list them.
>> ----------------------------------------------------------------------------------------
>> ----------------------------
>> Number of entries returned 0
>> ----------------------------
>> [root at idmipa01 sssd]# ipa trustdomain-find abc.xyz
>>   Domain name: abc.xyz
>>   Domain NetBIOS name: ABC
>>   Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
>>   Domain enabled: True
>> ----------------------------
>> Number of entries returned 1
>> ----------------------------
>>
>>
>> # ipa trust-fetch-domains abc.xyz
>> ----------------------------------------------------------------------------------------
>> List of trust domains successfully refreshed. Use trustdomain-find command
>> to list them.
>> ----------------------------------------------------------------------------------------
>> ----------------------------
>> Number of entries returned 0
>> ----------------------------
>> #
>>
>>
>> The following command successfully returns all AD objects under the Users
>> cn.
>>
>> # ldapsearch -x -h 192.168.0.3 -D "tom at abc.xyz" -W -b
>> "cn=users,dc=abc,dc=xyz" -s sub "(cn=*)" cn mail sn
>>
>>
>> --
>> Cheers,
>> Tom K.
>> -------------------------------------------------------------------------------------
>>
>> Living on earth is expensive, but it includes a free trip around the sun.
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>

Nothing:

# id tom at abc.xyz
id: tom at abc.xyz: no such user
# getent group nixadmins_external
# getent group nixadmins
nixadmins:*:1746600012:
#

I'll enable debug logging to determine further.

-- 
Cheers,
Tom K.
-------------------------------------------------------------------------------------

Living on earth is expensive, but it includes a free trip around the sun.

More information about the Freeipa-users mailing list