On Mon, 16 May 2016, Lachlan Musicman wrote:

We have an interesting scenario that is hard to find any information on.

Due to permission restrictions, a NAS that is mounted and visible by both
AD and 'nix clients, every user belongs to a particular primary group.
What scope these primary groups have in AD?

When we try doing idoverride's on the groups, it fails with the Primary
Group. In some cases, the primary group doesn't even appear in a getent or
id request. Sometimes it appears with incorrect name or GID.

We have found it hard to get repeatable "failures", but here are two:

1. getent group <groupname> (where groupname is any group, but is a primary
group for a subset of members)

- does not return any member that has groupname as a primary group in AD.

2. Overriding a group

if the user has that group as a primary group (in AD), it will override the
name, but not the GID.
else, the override works.

There were a number of other unusual results that are hard to explain how
to reproduce because it was all so seemingly random.
Primary groups in AD are a bit complex. SSSD needs to improve on their
handling as, for example, Samba only recognizes primary groups from AD,
not any others, and there should be some coherence to make things
actually work correctly.

I feel like it would be an obvious need - to translate or override AD
primary groups to FreeIPA groups, but this doesn't seem possible.
There is only one primary group for a user. For Kerberos operations we
currently don't take ID overrides into account when constructing MS-PAC,
so if AD users comes with GSSAPI to a FreeIPA client, its primary group SID
will stay pinned to AD's group, ignoring ID overrides.

I'm not sure it would be possible to amend primary group SIDs with ID
overrides in general because a numeric value in the override for a gid
does not mean there is an actual group with a proper SID and name in
FreeIPA for that gid.

There is another issue, though. If a users' primary group has a domain
local scope, FreeIPA will not be able to use that group through the
forest boundary, at least, it should be ignored according to the AD

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to