[Freeipa-users] AD Primary Groups are ignored in FreeIPA?
Martin Kosek
mkosek at redhat.com
Mon May 16 13:27:39 UTC 2016
On 05/16/2016 05:28 AM, Lachlan Musicman wrote:
> Hola,
>
> We have an interesting scenario that is hard to find any information on.
>
> Due to permission restrictions, a NAS that is mounted and visible by both AD and
> 'nix clients, every user belongs to a particular primary group.
>
> When we try doing idoverride's on the groups, it fails with the Primary Group.
> In some cases, the primary group doesn't even appear in a getent or id request.
> Sometimes it appears with incorrect name or GID.
>
> We have found it hard to get repeatable "failures", but here are two:
>
> 1. getent group <groupname> (where groupname is any group, but is a primary
> group for a subset of members)
>
> - does not return any member that has groupname as a primary group in AD.
>
> 2. Overriding a group
>
> if the user has that group as a primary group (in AD), it will override the
> name, but not the GID.
> else, the override works.
>
> There were a number of other unusual results that are hard to explain how to
> reproduce because it was all so seemingly random.
>
>
> I feel like it would be an obvious need - to translate or override AD primary
> groups to FreeIPA groups, but this doesn't seem possible.
>
> Have we set IPA up incorrectly, or are we hitting on something else?
>
> I found this AD support problem for Win2003, but I feel like it's old and would
> surely have been solved? https://support.microsoft.com/en-us/kb/275523
>
> Also, their solution ("hack AD, then hack your other LDAP software") is, for
> some reason, funny to me.
>
> Cheers
> L.
Hello Lachlan,
It seems you are looking for this extension:
https://fedorahosted.org/sssd/ticket/1872
It is not done yet, there is a plenty of information in the ticket comments.
Please let us know if this does not help.
Martin
More information about the Freeipa-users
mailing list