We’re attempting to setup an IPA (4.2) service on RHEL7.2 to provide better
connectivity to our (large) organisational AD service for Linux clients.
We have setup IPA and configured a suitable AD trust (with SID POSIX mapping)
in the hope that users will be able to access IPA resources (hosts, storage)
using existing AD credentials and groups. This working fine - we can login to
Linux hosts using AD credentials and see the AD groups.
However, it would appear that in order to use AD group membership as the basis
for Linux HBAC or sudo, we need to firstly _map_ the AD groups to an equivalent
IPA (POSIX) group? Is this correct?
I can see that it’s possible to define ‘external’ *users* (not groups) in some
cases, but this function appears to be deprecated.
We have large numbers of groups in our AD (~50k), so obviously that’s a lot of
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project