[Freeipa-users] AD Primary Groups are ignored in FreeIPA?
Lachlan Musicman
datakid at gmail.com
Mon May 16 03:28:22 UTC 2016
Hola,
We have an interesting scenario that is hard to find any information on.
Due to permission restrictions, a NAS that is mounted and visible by both
AD and 'nix clients, every user belongs to a particular primary group.
When we try doing idoverride's on the groups, it fails with the Primary
Group. In some cases, the primary group doesn't even appear in a getent or
id request. Sometimes it appears with incorrect name or GID.
We have found it hard to get repeatable "failures", but here are two:
1. getent group <groupname> (where groupname is any group, but is a primary
group for a subset of members)
- does not return any member that has groupname as a primary group in AD.
2. Overriding a group
if the user has that group as a primary group (in AD), it will override the
name, but not the GID.
else, the override works.
There were a number of other unusual results that are hard to explain how
to reproduce because it was all so seemingly random.
I feel like it would be an obvious need - to translate or override AD
primary groups to FreeIPA groups, but this doesn't seem possible.
Have we set IPA up incorrectly, or are we hitting on something else?
I found this AD support problem for Win2003, but I feel like it's old and
would surely have been solved?
https://support.microsoft.com/en-us/kb/275523
Also, their solution ("hack AD, then hack your other LDAP software") is,
for some reason, funny to me.
Cheers
L.
------
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160516/072168f4/attachment.htm>
More information about the Freeipa-users
mailing list