We have an interesting scenario that is hard to find any information on.

Due to permission restrictions, a NAS that is mounted and visible by both
AD and 'nix clients, every user belongs to a particular primary group.

When we try doing idoverride's on the groups, it fails with the Primary
Group. In some cases, the primary group doesn't even appear in a getent or
id request. Sometimes it appears with incorrect name or GID.

We have found it hard to get repeatable "failures", but here are two:

1. getent group <groupname> (where groupname is any group, but is a primary
group for a subset of members)

 - does not return any member that has groupname as a primary group in AD.

2. Overriding a group

if the user has that group as a primary group (in AD), it will override the
name, but not the GID.
else, the override works.

There were a number of other unusual results that are hard to explain how
to reproduce because it was all so seemingly random.

I feel like it would be an obvious need - to translate or override AD
primary groups to FreeIPA groups, but this doesn't seem possible.

Have we set IPA  up incorrectly, or are we hitting on something else?

I found this AD support problem for Win2003, but I feel like it's old and
would surely have been solved?

Also, their solution ("hack AD, then hack your other LDAP software") is,
for some reason, funny to me.


The most dangerous phrase in the language is, "We've always done it this

- Grace Hopper
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to