I also observed one peculiar thing when it comes to group membership of the 
group which is used in my HBAC rule.
When I issue getent group ad_users on the server, I get:
ad_users:*:1010200005:j...@td.mydomain.com

In the FreeIPA's web UI membership looks like follows:

External member
        
S-1-5-21-4217214799-1184961203-849681438-1104
        
S-1-5-21-4217214799-1184961203-849681438-1111
        
j...@td.mydomain.com

and ipa group-find returns these members:
Group name: ad_users_external
Description: ad_domain users external map
External member: S-1-5-21-4217214799-1184961203-849681438-1121, 
S-1-5-21-4217214799-1184961203-849681438-1104, 
S-1-5-21-4217214799-1184961203-849681438-1111

Could it also be that due to what is displayed in the FreeIPA's UI other two 
members are not returned correctly by the getent command?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to