On Fri, Dec 02, 2016 at 08:30:28AM -0500, TomK wrote: > Hey All, > > I've successfully mapped the nixadmins to the external group > nixadmins_external. However no users in that group make it over to Free IPA > that I can see. > > ipa group-add-member nixadmins_external --external "nixadmins" > > Windows AD users, 3 of them, are in the windows AD group nixadmins. However > I can't port them over. > > These accounts have UNIX attributes assigned to them. > > Question that I have and can't find, should I be seeing these users in the > mapped groups above? ( ie within the GUI should I see any users listed from > AD DC in nixadmins or nixadmins_external? )
no, the GUI won't show them. Calling 'id user_from_nixadmins@ad.domain' should show that nixadmins_external is a member of that group. With recent version of SSSD 'getent group nixadmins_external' should list the users from nixadmins as well, older versions might miss them. HTH bye, Sumit > > If there is an issue and I'm just not picking it out from the debug logs, > what to look for? Is there anything more I need to do on the Windows side > that I haven't found on the existing pages? > > > # ipa group-add-member nixadmins_external --external "nixadmins" > [member user]: > [member group]: > Group name: nixadmins_external > Description: NIX Admins External map > External member: S-1-5-21-3418825849-1633701630-2291579631-1006 > Member groups: nixadmins > Member of groups: nixadmins > Indirect Member groups: nixadmins_external > ------------------------- > Number of members added 1 > ------------------------- > # > > > # ipa trustdomain-find abc.xyz > Domain name: abc.xyz > Domain NetBIOS name: ABC > Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517 > Domain enabled: True > ---------------------------- > Number of entries returned 1 > ---------------------------- > # > > > [realms] > DOM.ABC.XYZ = { > . > . > . > auth_to_local = RULE:[1:$1@$0](^.*@ABC.XYZ$)s/@ABC.XYZ/@abc.xyz/ > auth_to_local = DEFAULT > } > > > # ipa trust-fetch-domains abc.xyz > ---------------------------------------------------------------------------------------- > List of trust domains successfully refreshed. Use trustdomain-find command > to list them. > ---------------------------------------------------------------------------------------- > ---------------------------- > Number of entries returned 0 > ---------------------------- > [root@idmipa01 sssd]# ipa trustdomain-find abc.xyz > Domain name: abc.xyz > Domain NetBIOS name: ABC > Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517 > Domain enabled: True > ---------------------------- > Number of entries returned 1 > ---------------------------- > > > # ipa trust-fetch-domains abc.xyz > ---------------------------------------------------------------------------------------- > List of trust domains successfully refreshed. Use trustdomain-find command > to list them. > ---------------------------------------------------------------------------------------- > ---------------------------- > Number of entries returned 0 > ---------------------------- > # > > > The following command successfully returns all AD objects under the Users > cn. > > # ldapsearch -x -h 192.168.0.3 -D "t...@abc.xyz" -W -b > "cn=users,dc=abc,dc=xyz" -s sub "(cn=*)" cn mail sn > > > -- > Cheers, > Tom K. > ------------------------------------------------------------------------------------- > > Living on earth is expensive, but it includes a free trip around the sun. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project