On 12 October 2016 at 15:23, Robert Sturrock <r...@unimelb.edu.au> wrote:

> Hi All.
> We’re attempting to setup an IPA (4.2) service on RHEL7.2 to provide
> better connectivity to our (large) organisational AD service for Linux
> clients.
> We have setup IPA and configured a suitable AD trust (with SID POSIX
> mapping) in the hope that users will be able to access IPA resources
> (hosts, storage) using existing AD credentials and groups.  This working
> fine - we can login to Linux hosts using AD credentials and see the AD
> groups.
> However, it would appear that in order to use AD group membership as the
> basis for Linux HBAC or sudo, we need to firstly _map_ the AD groups to an
> equivalent IPA (POSIX) group?  Is this correct?
> I can see that it’s possible to define ‘external’ *users* (not groups) in
> some cases, but this function appears to be deprecated.
> We have large numbers of groups in our AD (~50k), so obviously that’s a
> lot of mapping!

Hi Rob,

It should work with groups no problems. We found a few issues with sssd
<1.14. To get the up to date sssd for the hosts, the best bet is the COPR


As for groups working with HBAC, it should work no problems. Yes to mapping
though. Here is the process:

1. Create an external group for your AD users/groups
2. Add AD group name to that external group (this AD group's existence will
be confirmed by IPA->AD trust or command will fail)
3. Create POSIX group
4. add group created in step 1 to group created in step 3

And here are some example commands to do that, as we executed them here, in
the same order:

ipa group-add --desc="petermac.org.au external map" ad_users_external
ipa group-add-member ad_external --external 'PMCI\Bioinf-Cluster'
ipa group-add --desc="petermac.org.au AD users" ad_users
ipa group-add-member ad_users --groups ad_users_external

Let me know how you go


The most dangerous phrase in the language is, "We've always done it this

- Grace Hopper
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to