[Freeipa-users] AD Primary Groups are ignored in FreeIPA?

Jakub Hrozek jhrozek at redhat.com
Mon May 16 13:45:00 UTC 2016 

On Mon, May 16, 2016 at 03:27:39PM +0200, Martin Kosek wrote:
> On 05/16/2016 05:28 AM, Lachlan Musicman wrote:
> > Hola,
> > 
> > We have an interesting scenario that is hard to find any information on.
> > 
> > Due to permission restrictions, a NAS that is mounted and visible by both AD and 
> > 'nix clients, every user belongs to a particular primary group.
> > 
> > When we try doing idoverride's on the groups, it fails with the Primary Group. 
> > In some cases, the primary group doesn't even appear in a getent or id request. 
> > Sometimes it appears with incorrect name or GID.
> > 
> > We have found it hard to get repeatable "failures", but here are two:
> > 
> > 1. getent group <groupname> (where groupname is any group, but is a primary 
> > group for a subset of members)
> > 
> >   - does not return any member that has groupname as a primary group in AD.
> > 
> > 2. Overriding a group
> > 
> > if the user has that group as a primary group (in AD), it will override the 
> > name, but not the GID.
> > else, the override works.
> > 
> > There were a number of other unusual results that are hard to explain how to 
> > reproduce because it was all so seemingly random.
> > 
> > 
> > I feel like it would be an obvious need - to translate or override AD primary 
> > groups to FreeIPA groups, but this doesn't seem possible.
> > 
> > Have we set IPA  up incorrectly, or are we hitting on something else?
> > 
> > I found this AD support problem for Win2003, but I feel like it's old and would 
> > surely have been solved? https://support.microsoft.com/en-us/kb/275523
> > 
> > Also, their solution ("hack AD, then hack your other LDAP software") is, for 
> > some reason, funny to me.
> > 
> > Cheers
> > L.
> 
> Hello Lachlan,
> 
> It seems you are looking for this extension:
> https://fedorahosted.org/sssd/ticket/1872
> 
> It is not done yet, there is a plenty of information in the ticket comments.
> Please let us know if this does not help.

I think for IPA-AD trust, this ticket is not related that much, the
ticket is more about direct SSSD->AD integration.

I keep Lachlan's mail unread to circle back when I have a bit more time
to test, but in general, it is required for the group override object to
also exist so that SSSD can resolve the overriden gid with getgrgid().
However, it seems that the OP already did that, which is why I would
like to test their usecase a bit more locally.

More information about the Freeipa-users mailing list