On Fri, 19 Feb 2016, Vladimir Kondratyev wrote:
I installed latest ipa-server-4.2.0-15.el7_2.6.x86_64 with slapi-nis
plugin on RHEL7.2 than installed and configured
ipa-server-trust-ad-4.2.0-15.el7_2.6.x86_64 with compat-schema option
and than successfully established one-way trust with Win2008R2 domain
After that following objects have been created in AD:
"email@example.com" - member of "linux firstname.lastname@example.org"
"email@example.com" - member of both "linux firstname.lastname@example.org" and "linux
On IPA side i created following groups and relations:
external member -> external ipa group -> posix ipa group
"linux email@example.com" -> "ad_la_ext" -> "ad_la"
"linux firstname.lastname@example.org" -> "ad_lu_ext" -> "ad_lu"
So "email@example.com" being logged in to ipa-client becomes a member of
"ad_lu" posix group and "firstname.lastname@example.org" becomes a member of both
"ad_la" and "ad_lu" groups
That is working like intended for sssd1.9+ clients but not for legacy
Yes, there is a complex issue in SSSD and slapi-nis that prevents
AD members of IPA groups to be fully resolved for legacy clients.
A good thing is that it is now almost fixed and updates for sssd and
slapi-nis will appear in next RHEL 7 update.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project