[Freeipa-users] Incomplete user identities on legacy clients
Alexander Bokovoy
abokovoy at redhat.com
Fri Feb 19 12:54:33 UTC 2016
On Fri, 19 Feb 2016, Vladimir Kondratyev wrote:
>Hi
>
>I installed latest ipa-server-4.2.0-15.el7_2.6.x86_64 with slapi-nis
>plugin on RHEL7.2 than installed and configured
>ipa-server-trust-ad-4.2.0-15.el7_2.6.x86_64 with compat-schema option
>and than successfully established one-way trust with Win2008R2 domain
>(named ad.dlink)
>
>After that following objects have been created in AD:
>
>groups:
>"linux admins at ad.dlink"
>"linux users at ad.dlink"
>
>users:
>"user2 at ad.dlink" - member of "linux users at ad.dlink"
>"user3 at ad.dlink" - member of both "linux users at ad.dlink" and "linux admins at ad.dlink" groups
>
>On IPA side i created following groups and relations:
>
>external member -> external ipa group -> posix ipa group
>"linux admins at ad.dlink" -> "ad_la_ext" -> "ad_la"
>"linux users at ad.dlink" -> "ad_lu_ext" -> "ad_lu"
>
>So "user2 at ad.dlink" being logged in to ipa-client becomes a member of
>"ad_lu" posix group and "user3 at ad.dlink" becomes a member of both
>"ad_la" and "ad_lu" groups
>
>That is working like intended for sssd1.9+ clients but not for legacy
>clients
Yes, there is a complex issue in SSSD and slapi-nis that prevents
AD members of IPA groups to be fully resolved for legacy clients.
A good thing is that it is now almost fixed and updates for sssd and
slapi-nis will appear in next RHEL 7 update.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list