On Fri, 19 Feb 2016, Vladimir Kondratyev wrote:
Hi
I installed latest ipa-server-4.2.0-15.el7_2.6.x86_64 with slapi-nis
plugin on RHEL7.2 than installed and configured
ipa-server-trust-ad-4.2.0-15.el7_2.6.x86_64 with compat-schema option
and than successfully established one-way trust with Win2008R2 domain
(named ad.dlink)
After that following objects have been created in AD:
groups:
"linux admins@ad.dlink"
"linux users@ad.dlink"
users:
"user2@ad.dlink" - member of "linux users@ad.dlink"
"user3@ad.dlink" - member of both "linux users@ad.dlink" and "linux
admins@ad.dlink" groups
On IPA side i created following groups and relations:
external member -> external ipa group -> posix ipa group
"linux admins@ad.dlink" -> "ad_la_ext" -> "ad_la"
"linux users@ad.dlink" -> "ad_lu_ext" -> "ad_lu"
So "user2@ad.dlink" being logged in to ipa-client becomes a member of
"ad_lu" posix group and "user3@ad.dlink" becomes a member of both
"ad_la" and "ad_lu" groups
That is working like intended for sssd1.9+ clients but not for legacy
clients
Yes, there is a complex issue in SSSD and slapi-nis that prevents
AD members of IPA groups to be fully resolved for legacy clients.
A good thing is that it is now almost fixed and updates for sssd and
slapi-nis will appear in next RHEL 7 update.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
