[Freeipa-users] IPA-AD trust group membership: display 'short' group names for two AD domains?

Fri Oct 21 05:07:16 UTC 2016

> On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote:
> […]
> > However, when I try logging in as a student domain user (student.example.au),
> > I don't see any of the groups (there should be 8):
> > 
> >     $ ssh -l rnst student example au ipa-client-rh7.ipa.example.au
> >     [rnst ipa-client-rh7 ~]$ groups
> >     rnst
> > 
> > Is this expected behaviour?  Is there a possible client configuration that
> > will support our AD forest setup or is this simply not possible?
> 
> What you did is quite correct, but unfortunately works only with
> RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry.

I tried the same configuration on FC24, which has sssd-1.14.1-3, but it didn’t work for the student domain either:

$ ssh -l rnst at STUDENT.EXAMPLE.AU ipa-client-fc24.ipa.example.au
-sh-4.3$ groups
rnst

Is the version shipping with RHEL7.3 likely to be different?

Regards,

Robert.

[Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

[Freeipa-users] IPA-AD trust group membership: display 'short' group names for two AD domains?