On Fri, 19 Feb 2016, Vladimir Kondratyev wrote:

I installed latest ipa-server-4.2.0-15.el7_2.6.x86_64 with slapi-nis
plugin on RHEL7.2 than installed and configured
ipa-server-trust-ad-4.2.0-15.el7_2.6.x86_64 with compat-schema option
and than successfully established one-way trust with Win2008R2 domain
(named ad.dlink)

After that following objects have been created in AD:

"linux admins@ad.dlink"
"linux users@ad.dlink"

"user2@ad.dlink" - member of "linux users@ad.dlink"
"user3@ad.dlink" - member of both "linux users@ad.dlink" and "linux 
admins@ad.dlink" groups

On IPA side i created following groups and relations:

external member -> external ipa group -> posix ipa group
"linux admins@ad.dlink" -> "ad_la_ext" -> "ad_la"
"linux users@ad.dlink" -> "ad_lu_ext" -> "ad_lu"

So "user2@ad.dlink" being logged in to ipa-client becomes a member of
"ad_lu" posix group and "user3@ad.dlink" becomes a member of both
"ad_la" and "ad_lu" groups

That is working like intended for sssd1.9+ clients but not for legacy
Yes, there is a complex issue in SSSD and slapi-nis that prevents
AD members of IPA groups to be fully resolved for legacy clients.
A good thing is that it is now almost fixed and updates for sssd and
slapi-nis  will appear in next RHEL 7 update.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to