Hello.
Not sure it happened after update, but now we are on 4.1 and on some servers we 
have only AD groups if it is primary for user, and have no IPA groups with AD 
external group in members.
Fro example, on the IPA server we have
# id afrolush...@ad.com
uid=236658172(afrolush...@ad.com) gid=236658172(afrolush...@ad.com) 
groups=236658172(afrolush...@ad.com),236658193(sib-dwh-sa-adm...@ad.com),810800020(sib-dwh-sa-admins),236667642(rhidm-sa-adm...@ad.com)<mailto:afrolush...@ad.com),236658193(sib-dwh-sa-adm...@ad.com),810800020(sib-dwh-sa-admins),236667642(rhidm-sa-adm...@ad.com)>
here group 236658193(sib-dwh-sa-adm...@ad.com<mailto:sib-dwh-sa-adm...@ad.com>) 
have a IPA group 810800020(sib-dwh-sa-admins), and it is not primary for user.
Group, primary for this user - 
236667642(rhidm-sa-adm...@ad.com<mailto:rhidm-sa-adm...@ad.com>) also have IPA 
group, but it is not displayed in id command.
On some other servers (IPA clients) it displays ONLY AD groups:
# id afrolush...@megafon.ru
uid=236658172(afrolush...@ad.com) gid=236658172(afrolush...@ad.com) 
groups=236658172(afrolush...@ad.com),236667642(rhidm-sa-adm...@ad.com),236658193(sib-dwh-sa-adm...@ad.com)<mailto:afrolush...@ad.com),236667642(rhidm-sa-adm...@ad.com),236658193(sib-dwh-sa-adm...@ad.com)>

This is a big problem for us, because on that servers we cannot use HBAC & 
sudo, also we don't think primary AD group is a exception and cannot be used in 
IPA authorization.



WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764


________________________________

?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, 
??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? 
??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? 
?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, 
??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? 
?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? 
???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? 
????? ????????? ??? ????? ? ??????????.

The information contained in this communication is intended solely for the use 
of the individual or entity to whom it is addressed and others authorized to 
receive it. It may contain confidential or legally privileged information. The 
contents may not be disclosed or used by anyone other than the addressee. If 
you are not the intended recipient(s), any use, disclosure, copying, 
distribution or any action taken or omitted to be taken in reliance on it is 
prohibited and may be unlawful. If you have received this communication in 
error please notify us immediately by responding to this email and then delete 
the e-mail and all attachments and any copies thereof.

(c)20mf50
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to