> -----Original Message-----
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Martin Kosek
> Sent: Monday, 16 May 2016 11:28 PM
> To: Lachlan Musicman; email@example.com
> Subject: Re: [Freeipa-users] AD Primary Groups are ignored in FreeIPA?
> On 05/16/2016 05:28 AM, Lachlan Musicman wrote:
> > Hola,
> > We have an interesting scenario that is hard to find any information on.
> > Due to permission restrictions, a NAS that is mounted and visible by
> > both AD and 'nix clients, every user belongs to a particular primary group.
> > When we try doing idoverride's on the groups, it fails with the Primary
> > Group.
> > In some cases, the primary group doesn't even appear in a getent or id
> > request.
> > Sometimes it appears with incorrect name or GID.
> > We have found it hard to get repeatable "failures", but here are two:
> > 1. getent group <groupname> (where groupname is any group, but is a
> > primary group for a subset of members)
> > - does not return any member that has groupname as a primary group in AD.
> > 2. Overriding a group
> > if the user has that group as a primary group (in AD), it will
> > override the name, but not the GID.
> > else, the override works.
> > There were a number of other unusual results that are hard to explain
> > how to reproduce because it was all so seemingly random.
> > I feel like it would be an obvious need - to translate or override AD
> > primary groups to FreeIPA groups, but this doesn't seem possible.
> > Have we set IPA up incorrectly, or are we hitting on something else?
> > I found this AD support problem for Win2003, but I feel like it's old
> > and would surely have been solved?
> > https://support.microsoft.com/en-us/kb/275523
> > Also, their solution ("hack AD, then hack your other LDAP software")
> > is, for some reason, funny to me.
> It seems you are looking for this extension:
> It is not done yet, there is a plenty of information in the ticket comments.
> Please let us know if this does not help.
Thanks for your response. This doesn't quite fit our issues. This is explicitly
about *private* groups in NIX (where adding new user creates GID==UID and
enrols that user).
Our problem is explicitly a *Primary Groups in AD* problem. Users that exist in
AD have a primary group (traditionally "Domain Users") which we are using for
other reasons (access control based on groups to files that are mounted on both
AD and NIX servers).
In FreeIPA ( ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 on fully up to date
Centos 7.2), after joining the AD (domain.org) in a one way trust as a
subdomain (unix.domain.org), when we query AD, it explicitly ignores AD based
Primary Groups - membership and overrides seem to fail.
Does that make sense?
I can see that it's vaguely related to the private group, but only in so much
as it's the group that is assigned to the user (if you look in /etc/passwd on
our pre-IPA system, our user data look like:
lsimpson:x:1542:10007::/home/lsimpson:/bin/bash where 10007 is the id of the
primary group in AD).
Obviously this data is no longer in /etc/passwd, but it doesn't seem to be able
to be affected (via idoverrides).
This email (including any attachments or links) may contain
confidential and/or legally privileged information and is
intended only to be read or used by the addressee. If you
are not the intended addressee, any use, distribution,
disclosure or copying of this email is strictly
Confidentiality and legal privilege attached to this email
(including any attachments) are not waived or lost by
reason of its mistaken delivery to you.
If you have received this email in error, please delete it
and notify us immediately by telephone or email. Peter
MacCallum Cancer Centre provides no guarantee that this
transmission is free of virus or that it has not been
intercepted or altered and will not be liable for any delay
in its receipt.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project