On Fri, Apr 19, 2013 at 10:14:36PM +0200, Natxo Asenjo wrote: > hi, > > a bit puzzled now. I have joined another 2k8r2 host to the AD domain that > is trusted by the ipa domain. > > As AD\administrator I can ssh to the linux host. > > I create a bunch of AD users, standard members of 'Domain Users'. But I > cannot login to the linux host. > > When I run wbinfo --online-status i get this: > > # wbinfo --online-status > BUILTIN : online > IPA : online > AD : offline > > # wbinfo --domain-info ad.asenjo.nx > Name : AD > Alt_Name : ad.asenjo.nx > SID : S-1-5-21-2508008360-1834726910-79835928 > Active Directory : No > Native : No > Primary : No > > # wbinfo --domain ad.asenjo.nx -u > With this last command I would expect to see all the users I created in the > AD. > > # getent group ad_users > ad_users:*:642801446:administra...@ad.asenjo.nx > > this tellms me that the external group we created has only the AD > administrator in it, so It makes sense only this one is allowed. But I I
no, this is a wrong interpretation. The group membership for users from trusted domains is only evaluated at login time with the help of the data stored in the MS-PAC. Because group-membership resolution in an AD environment can be cumbersome, especially when it comes to forests and forest trusts, and the MS-PAC provides all memberships we decided to rely only on the MS-PAC here. As a consequence getent group only shows the users of the IPA domain and AD users who already logged in successfully. > checked the SID of the mapped group: > > # ipa group-show ad_users_external > Group name: ad_users_external > Description: AD users external map > Member of groups: ad_users > External member: S-1-5-21-2508008360-1834726910-79835928-513 > > And it is the AD\Domain Users sid, I checked it on the windows host because > wbinfo shows me no info: > > [root@kdc ~]# wbinfo -n "AD\Domain Users" > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup name AD\Domain Users > [root@kdc ~]# wbinfo -s S-1-5-21-2508008360-1834726910-79835928-513 > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup sid S-1-5-21-2508008360-1834726910-79835928-513 > [root@kdc ~]# wbinfo -s S-1-5-21-2508008360-1834726910-79835928-513 -d > ad.asenjo.nx > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup sid S-1-5-21-2508008360-1834726910-79835928-513 looks like winbind has some issues connecting to the AD server. Did you change any firewall setting that might cause the issue here? More details might be available in the winbind logs. bye, Sumit > > So how can I get the rest of the users in the group mapped? > > TIA, > > -- > groet, > natxo > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
