On Mon, May 16, 2016 at 03:27:39PM +0200, Martin Kosek wrote:
> On 05/16/2016 05:28 AM, Lachlan Musicman wrote:
> > Hola,
> > 
> > We have an interesting scenario that is hard to find any information on.
> > 
> > Due to permission restrictions, a NAS that is mounted and visible by both 
> > AD and 
> > 'nix clients, every user belongs to a particular primary group.
> > 
> > When we try doing idoverride's on the groups, it fails with the Primary 
> > Group. 
> > In some cases, the primary group doesn't even appear in a getent or id 
> > request. 
> > Sometimes it appears with incorrect name or GID.
> > 
> > We have found it hard to get repeatable "failures", but here are two:
> > 
> > 1. getent group <groupname> (where groupname is any group, but is a primary 
> > group for a subset of members)
> > 
> >   - does not return any member that has groupname as a primary group in AD.
> > 
> > 2. Overriding a group
> > 
> > if the user has that group as a primary group (in AD), it will override the 
> > name, but not the GID.
> > else, the override works.
> > 
> > There were a number of other unusual results that are hard to explain how 
> > to 
> > reproduce because it was all so seemingly random.
> > 
> > 
> > I feel like it would be an obvious need - to translate or override AD 
> > primary 
> > groups to FreeIPA groups, but this doesn't seem possible.
> > 
> > Have we set IPA  up incorrectly, or are we hitting on something else?
> > 
> > I found this AD support problem for Win2003, but I feel like it's old and 
> > would 
> > surely have been solved? https://support.microsoft.com/en-us/kb/275523
> > 
> > Also, their solution ("hack AD, then hack your other LDAP software") is, 
> > for 
> > some reason, funny to me.
> > 
> > Cheers
> > L.
> 
> Hello Lachlan,
> 
> It seems you are looking for this extension:
> https://fedorahosted.org/sssd/ticket/1872
> 
> It is not done yet, there is a plenty of information in the ticket comments.
> Please let us know if this does not help.

I think for IPA-AD trust, this ticket is not related that much, the
ticket is more about direct SSSD->AD integration.

I keep Lachlan's mail unread to circle back when I have a bit more time
to test, but in general, it is required for the group override object to
also exist so that SSSD can resolve the overriden gid with getgrgid().
However, it seems that the OP already did that, which is why I would
like to test their usecase a bit more locally.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to