Hi All.

We’re attempting to setup an IPA (4.2) service on RHEL7.2 to provide better 
connectivity to our (large) organisational AD service for Linux clients.

We have setup IPA and configured a suitable AD trust (with SID POSIX mapping) 
in the hope that users will be able to access IPA resources (hosts, storage) 
using existing AD credentials and groups.  This working fine - we can login to 
Linux hosts using AD credentials and see the AD groups.

However, it would appear that in order to use AD group membership as the basis 
for Linux HBAC or sudo, we need to firstly _map_ the AD groups to an equivalent 
IPA (POSIX) group?  Is this correct?

I can see that it’s possible to define ‘external’ *users* (not groups) in some 
cases, but this function appears to be deprecated.

We have large numbers of groups in our AD (~50k), so obviously that’s a lot of 



Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to