On 05/16/2016 05:28 AM, Lachlan Musicman wrote: > Hola, > > We have an interesting scenario that is hard to find any information on. > > Due to permission restrictions, a NAS that is mounted and visible by both AD > and > 'nix clients, every user belongs to a particular primary group. > > When we try doing idoverride's on the groups, it fails with the Primary > Group. > In some cases, the primary group doesn't even appear in a getent or id > request. > Sometimes it appears with incorrect name or GID. > > We have found it hard to get repeatable "failures", but here are two: > > 1. getent group <groupname> (where groupname is any group, but is a primary > group for a subset of members) > > - does not return any member that has groupname as a primary group in AD. > > 2. Overriding a group > > if the user has that group as a primary group (in AD), it will override the > name, but not the GID. > else, the override works. > > There were a number of other unusual results that are hard to explain how to > reproduce because it was all so seemingly random. > > > I feel like it would be an obvious need - to translate or override AD primary > groups to FreeIPA groups, but this doesn't seem possible. > > Have we set IPA up incorrectly, or are we hitting on something else? > > I found this AD support problem for Win2003, but I feel like it's old and > would > surely have been solved? https://support.microsoft.com/en-us/kb/275523 > > Also, their solution ("hack AD, then hack your other LDAP software") is, for > some reason, funny to me. > > Cheers > L.
Hello Lachlan, It seems you are looking for this extension: https://fedorahosted.org/sssd/ticket/1872 It is not done yet, there is a plenty of information in the ticket comments. Please let us know if this does not help. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project