[Freeipa-users] AD Primary Groups are ignored in FreeIPA?

Alexander Bokovoy abokovoy at redhat.com
Mon May 16 13:46:15 UTC 2016 

On Mon, 16 May 2016, Lachlan Musicman wrote:
>Hola,
>
>We have an interesting scenario that is hard to find any information on.
>
>Due to permission restrictions, a NAS that is mounted and visible by both
>AD and 'nix clients, every user belongs to a particular primary group.
What scope these primary groups have in AD?

>When we try doing idoverride's on the groups, it fails with the Primary
>Group. In some cases, the primary group doesn't even appear in a getent or
>id request. Sometimes it appears with incorrect name or GID.
>
>We have found it hard to get repeatable "failures", but here are two:
>
>1. getent group <groupname> (where groupname is any group, but is a primary
>group for a subset of members)
>
> - does not return any member that has groupname as a primary group in AD.
>
>2. Overriding a group
>
>if the user has that group as a primary group (in AD), it will override the
>name, but not the GID.
>else, the override works.
>
>There were a number of other unusual results that are hard to explain how
>to reproduce because it was all so seemingly random.
Primary groups in AD are a bit complex. SSSD needs to improve on their
handling as, for example, Samba only recognizes primary groups from AD,
not any others, and there should be some coherence to make things
actually work correctly.

>I feel like it would be an obvious need - to translate or override AD
>primary groups to FreeIPA groups, but this doesn't seem possible.
There is only one primary group for a user. For Kerberos operations we
currently don't take ID overrides into account when constructing MS-PAC,
so if AD users comes with GSSAPI to a FreeIPA client, its primary group SID
will stay pinned to AD's group, ignoring ID overrides.

I'm not sure it would be possible to amend primary group SIDs with ID
overrides in general because a numeric value in the override for a gid
does not mean there is an actual group with a proper SID and name in
FreeIPA for that gid.

There is another issue, though. If a users' primary group has a domain
local scope, FreeIPA will not be able to use that group through the
forest boundary, at least, it should be ignored according to the AD
specs.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list