SSSD is able to evaluate group membership, but if for instance I create a
view for my user and I add a ssh public key I can only use it to login
passwordless in the IPA server, not on an IPA client. The password still
works, but I see nothing in the sssd logs that explains why the pubkey was
rejected on the IPA client. Could be that the client is not really aware
that there is a view override? I thought that the external mapping would
facilitate this..

On Mon, Jul 13, 2015 at 11:46 PM, Alexander Bokovoy <>

> On Mon, 13 Jul 2015, Angelo Pantano wrote:
>> I have the same entry there, my question is that I don't understand why it
>> doesn't it give me any visibility of the AD users mapped in that group, I
>> mean I just see that entry, but what's that supposed to do? It doesn't
>> really change anything with or without, I am missing the supposed value of
>> having the AD users mapped in a FreeIPA posix group.
>> I was expecting to see the AD users in that group, but I got nothing.. I'm
>> a bit confused
> Read the documentation.
> Once you added AD user or group as external member of an external IPA
> group and then added this group as a member of IPA POSIX group, the user
> belonging to AD group would appear as a member of IPA POSIX group:
> # id administra...@adx.test
> uid=1878600500(administra...@adx.test)
> gid=1878600500(administra...@adx.test)
> groups=1878600500(administra...@adx.test),1878600520(group policy
> creator own...@adx.test),1878600519(enterprise
> adm...@adx.test),1878600512(domain adm...@adx.test),1878600518(schema
> adm...@adx.test),1878600513(domain us...@adx.test),1634400007(ad_admins)
> You wouldn't see this in the web UI because web UI is showing what is in
> the LDAP, not what is visible in the system when SSSD evaluates the
> group membership.
> --
> / Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to