On Tue, 17 May 2016, Simpson Lachlan wrote:
>I feel like it would be an obvious need - to translate or override AD
>primary groups to FreeIPA groups, but this doesn't seem possible.
There is only one primary group for a user. For Kerberos operations we currently
don't take ID overrides into account when constructing MS-PAC, so if AD users
comes with GSSAPI to a FreeIPA client, its primary group SID will stay pinned to
AD's group, ignoring ID overrides.


What is MS-PAC?
https://msdn.microsoft.com/en-us/library/cc237917.aspx


I'm not sure it would be possible to amend primary group SIDs with ID overrides 
in
general because a numeric value in the override for a gid does not mean there is
an actual group with a proper SID and name in FreeIPA for that gid.


Not interested in changing the SID. I want to change the GID. When the
AD groups are read in FreeIPA they are given a GID like 1718800000.

I want that GID to be the same as it is in AD - eg 10004. That way,
when a user rights to the shared drive on the linux side, the file is
given the group ownership 10004. Which, when read on the Windows side,
correctly maps to a group of users (instead of an individual). This is
working in the current non-IPA system, but that system is not
integrated. We want to integrate, hence FreeIPA.
So you have POSIX attributes defined in AD already? Why then you are
using POSIX attributes defined in IPA? You could have defined an ID
range type that forces SSSD to use POSIX attributes from Active
Directory.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to