[Freeipa-users] AD Primary Groups are ignored in FreeIPA?
Alexander Bokovoy
abokovoy at redhat.com
Tue May 17 05:39:35 UTC 2016
On Tue, 17 May 2016, Simpson Lachlan wrote:
>> >I feel like it would be an obvious need - to translate or override AD
>> >primary groups to FreeIPA groups, but this doesn't seem possible.
>> There is only one primary group for a user. For Kerberos operations we currently
>> don't take ID overrides into account when constructing MS-PAC, so if AD users
>> comes with GSSAPI to a FreeIPA client, its primary group SID will stay pinned to
>> AD's group, ignoring ID overrides.
>
>What is MS-PAC?
https://msdn.microsoft.com/en-us/library/cc237917.aspx
>
>> I'm not sure it would be possible to amend primary group SIDs with ID overrides in
>> general because a numeric value in the override for a gid does not mean there is
>> an actual group with a proper SID and name in FreeIPA for that gid.
>
>
>Not interested in changing the SID. I want to change the GID. When the
>AD groups are read in FreeIPA they are given a GID like 1718800000.
>
>I want that GID to be the same as it is in AD - eg 10004. That way,
>when a user rights to the shared drive on the linux side, the file is
>given the group ownership 10004. Which, when read on the Windows side,
>correctly maps to a group of users (instead of an individual). This is
>working in the current non-IPA system, but that system is not
>integrated. We want to integrate, hence FreeIPA.
So you have POSIX attributes defined in AD already? Why then you are
using POSIX attributes defined in IPA? You could have defined an ID
range type that forces SSSD to use POSIX attributes from Active
Directory.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list