[Freeipa-users] Default domain for AD groups
Hanoz Elavia
h.elavia at atomiccartoons.com
Thu Feb 23 23:42:36 UTC 2017
Hello,
My FreeIPA clients and server are setup to use the AD domain as the
default. This is done using the default_domain_suffix parameter in the sssd
section of the sssd.conf file.
This works fine for users when we use ldapsearch but not so much for
groups. For e.g.:
ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b
'cn=compat,dc=ipa,dc=server,dc=com' -D
'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' '(cn=
domaingroup at server.com)'
works fine but
ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b
'cn=compat,dc=ipa,dc=server,dc=com' -D
'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com'
'(cn=domaingroup)'
won't work. However, the above will work fine for users. I'm using the
following:
AD: Windows 2008 R2
FreeIPA Server: 4.4.0-14
FreeIPA Client: 4.4.0-14
SSSD: 1.14.0-43
Linux version: CentOS 7.3 x64_86
The AD trust is setup with --enable-compat.
Regards,
Hanoz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170223/d8368e02/attachment.htm>
More information about the Freeipa-users
mailing list