Ahh, that explains it, thank you! Looks like I accidentally added "member User ID override" to a group as opposed to adding an external member.
Cheers, Yuriy On Fri, Jan 19, 2024 at 8:12 PM Alexander Bokovoy <[email protected]> wrote: > > On Пят, 19 сту 2024, Yuriy Halytskyy via FreeIPA-users wrote: > >Hi, > > > >At first I've just created an external group, added the user, and > >added that group to a role but that didn't work. Then I stumbled > >across this while googling: > > > >ipa idoverrideuser-add 'Default Trust View' username@DOMAIN > > > >And it works, the user can use IPA commands with AD kerberos ticket > >and roles apply properly. But I cannot for the life of me figure out > >what that did and are there any other consequences. > > > >Documentation talks about using ID views to override user properties > >but this doesn't specify any properties to override. Also, it says the > >view is applied to all AD users, but in that case why do I need to run > >that command? > > You need to look at design pages that most new FreeIPA features have. > > https://freeipa.readthedocs.io/en/latest/designs/adtrust/admin-ipa-as-trusted-user.html > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
