[Freeipa-users] AD Primary Groups are ignored in FreeIPA?

Simpson Lachlan Lachlan.Simpson at petermac.org
Tue May 17 01:39:22 UTC 2016 

> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> bounces at redhat.com] On Behalf Of Martin Kosek
> Sent: Monday, 16 May 2016 11:28 PM
> To: Lachlan Musicman; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] AD Primary Groups are ignored in FreeIPA?
> 
> On 05/16/2016 05:28 AM, Lachlan Musicman wrote:
> > Hola,
> >
> > We have an interesting scenario that is hard to find any information on.
> >
> > Due to permission restrictions, a NAS that is mounted and visible by
> > both AD and 'nix clients, every user belongs to a particular primary group.
> >
> > When we try doing idoverride's on the groups, it fails with the Primary Group.
> > In some cases, the primary group doesn't even appear in a getent or id request.
> > Sometimes it appears with incorrect name or GID.
> >
> > We have found it hard to get repeatable "failures", but here are two:
> >
> > 1. getent group <groupname> (where groupname is any group, but is a
> > primary group for a subset of members)
> >
> >   - does not return any member that has groupname as a primary group in AD.
> >
> > 2. Overriding a group
> >
> > if the user has that group as a primary group (in AD), it will
> > override the name, but not the GID.
> > else, the override works.
> >
> > There were a number of other unusual results that are hard to explain
> > how to reproduce because it was all so seemingly random.
> >
> >
> > I feel like it would be an obvious need - to translate or override AD
> > primary groups to FreeIPA groups, but this doesn't seem possible.
> >
> > Have we set IPA  up incorrectly, or are we hitting on something else?
> >
> > I found this AD support problem for Win2003, but I feel like it's old
> > and would surely have been solved?
> > https://support.microsoft.com/en-us/kb/275523
> >
> > Also, their solution ("hack AD, then hack your other LDAP software")
> > is, for some reason, funny to me.
> 
> It seems you are looking for this extension:
> https://fedorahosted.org/sssd/ticket/1872
> 
> It is not done yet, there is a plenty of information in the ticket comments.
> Please let us know if this does not help.

Martin,

Thanks for your response. This doesn't quite fit our issues. This is explicitly about *private* groups in NIX (where adding new user creates GID==UID and enrols that user).

Our problem is explicitly a *Primary Groups in AD* problem. Users that exist in AD have a primary group (traditionally "Domain Users") which we are using for other reasons (access control based on groups to files that are mounted on both AD and NIX servers).

In FreeIPA ( ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 on fully up to date Centos 7.2), after joining the AD (domain.org) in a one way trust as a subdomain (unix.domain.org), when we query AD, it explicitly ignores AD based Primary Groups - membership and overrides seem to fail.

Does that make sense?

I can see that it's vaguely related to the private group, but only in so much as it's the group that is assigned to the user (if you look in /etc/passwd on our pre-IPA system, our user data look like: lsimpson:x:1542:10007::/home/lsimpson:/bin/bash where 10007 is the id of the primary group in AD).

Obviously this data is no longer in /etc/passwd, but it doesn't seem to be able to be affected (via idoverrides).

Cheers
L.
This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.

More information about the Freeipa-users mailing list