On 12/3/2016 12:33 AM, TomK wrote:
On 12/2/2016 8:43 AM, Sumit Bose wrote:
On Fri, Dec 02, 2016 at 08:30:28AM -0500, TomK wrote:
Hey All,

I've successfully mapped the nixadmins to the external group
nixadmins_external.  However no users in that group make it over to
Free IPA
that I can see.

ipa group-add-member nixadmins_external --external "nixadmins"

Windows AD users, 3 of them, are in the windows AD group nixadmins.
However
I can't port them over.

These accounts have UNIX attributes assigned to them.

Question that I have and can't find, should I be seeing these users
in the
mapped groups above?  ( ie within the GUI should I see any users
listed from
AD DC in nixadmins or nixadmins_external? )

no, the GUI won't show them. Calling 'id user_from_nixadmins@ad.domain'
should show that nixadmins_external is a member of that group. With
recent version of SSSD 'getent group nixadmins_external' should list the
users from nixadmins as well, older versions might miss them.

HTH

bye,
Sumit


If there is an issue and I'm just not picking it out from the debug
logs,
what to look for?  Is there anything more I need to do on the Windows
side
that I haven't found on the existing pages?


# ipa group-add-member nixadmins_external --external "nixadmins"
[member user]:
[member group]:
  Group name: nixadmins_external
  Description: NIX Admins External map
  External member: S-1-5-21-3418825849-1633701630-2291579631-1006
  Member groups: nixadmins
  Member of groups: nixadmins
  Indirect Member groups: nixadmins_external
-------------------------
Number of members added 1
-------------------------
#


# ipa trustdomain-find abc.xyz
  Domain name: abc.xyz
  Domain NetBIOS name: ABC
  Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
  Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------
#


[realms]
 DOM.ABC.XYZ = {
.
.
.
  auth_to_local = RULE:[1:$1@$0](^.*@ABC.XYZ$)s/@ABC.XYZ/@abc.xyz/
  auth_to_local = DEFAULT
}


# ipa trust-fetch-domains abc.xyz
----------------------------------------------------------------------------------------

List of trust domains successfully refreshed. Use trustdomain-find
command
to list them.
----------------------------------------------------------------------------------------

----------------------------
Number of entries returned 0
----------------------------
[root@idmipa01 sssd]# ipa trustdomain-find abc.xyz
  Domain name: abc.xyz
  Domain NetBIOS name: ABC
  Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
  Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------


# ipa trust-fetch-domains abc.xyz
----------------------------------------------------------------------------------------

List of trust domains successfully refreshed. Use trustdomain-find
command
to list them.
----------------------------------------------------------------------------------------

----------------------------
Number of entries returned 0
----------------------------
#


The following command successfully returns all AD objects under the
Users
cn.

# ldapsearch -x -h 192.168.0.3 -D "t...@abc.xyz" -W -b
"cn=users,dc=abc,dc=xyz" -s sub "(cn=*)" cn mail sn


--
Cheers,
Tom K.
-------------------------------------------------------------------------------------


Living on earth is expensive, but it includes a free trip around the
sun.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Nothing:

# id t...@abc.xyz
id: t...@abc.xyz: no such user
# getent group nixadmins_external
# getent group nixadmins
nixadmins:*:1746600012:
#

I'll enable debug logging to determine further.


I'm getting the following in the logs. Not sure why it cannot assign a GID (possibly a range mismatch) but my dnaRemainingValues: 99498 and so is fine:

[2016/12/03 10:45:44.232656, 3, pid=4792, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_allocate_gid.c:45(winbindd_allocate_gid_send)
  allocate_gid
[2016/12/03 10:45:44.232689, 1, pid=4792, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       wbint_AllocateGid: struct wbint_AllocateGid
          in: struct wbint_AllocateGid
[2016/12/03 10:45:44.233134, 1, pid=4792, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       wbint_AllocateGid: struct wbint_AllocateGid
          out: struct wbint_AllocateGid
              gid                      : *
                  gid                      : 0x0000000000000000 (0)
              result                   : NT_STATUS_UNSUCCESSFUL
[2016/12/03 10:45:44.233192, 5, pid=4792, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_allocate_gid.c:83(winbindd_allocate_gid_recv)
  Could not allocate gid: NT_STATUS_UNSUCCESSFUL
[2016/12/03 10:45:44.233212, 10, pid=4792, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:787(wb_request_done)
  wb_request_done[5125:ALLOCATE_GID]: NT_STATUS_UNSUCCESSFUL

Any hints would be appreciated while I look for a solution on this end.

--
Cheers,
Tom K.
-------------------------------------------------------------------------------------

Living on earth is expensive, but it includes a free trip around the sun.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
  • ... TomK
    • ... Sumit Bose
      • ... TomK
        • ... TomK
          • ... TomK
            • ... Alexander Bokovoy
              • ... TomK
                • ... List dedicated to discussions about use, configuration and deployment of the IPA server.
                • ... List dedicated to discussions about use, configuration and deployment of the IPA server.
                • ... TomK
                • ... TomK

Reply via email to