Hello everyone. It looks like I have a problem understanding the way AD trusts work. Maybe someone here can enlighten me.
In our AD we have "normal" users and groups and we have users/groups with POSIX attributes. For the latter we want to use FreeIPA to implement HBAC and Sudo rules. Last week I installed a FreeIPA server (v4.10.1) and created a oneway trust to our AD. This has worked so far, I can log on to my (test) FreeIPA client with my AD user. My comprehension problem: I can only see AD users and AD groups on the FreeIPA server and on my test client that have POSIX attributes (uid, uidNumber, gidNumber) set. To clarify: "getent passwd" and "getent groups" do not find users and groups that do not have POSIX attributes and the same applies to "ipa group-add-member". While this does not matter for the users so far, it is a problem for me with the groups because I can now only select AD groups with POSIX attributes when mapping, i.e. "ipa group-add-member <local group> --external '<AD\Group>'" only works with POSIX groups from the AD. Why is this a problem? Because I now suddenly see the groups "twice", so if I make an "id <user>", then I see the original AD group (e.g. "webserver admins" with the gidNumber from the AD) and additionally the mapped group from FreeIPA (with its own gid). The question I have is, does it have to be like this? Is there no way to select either the already existing AD group directly in HABC and/or Sudo rules? Or if the mapping has to be to local groups, to select non-POSIX groups from the AD? Best regards Stefan -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
