[Freeipa-users] Re: OSX (El Capitan) - FreeIPA

2017-07-26 Thread Jason Sherrill via FreeIPA-users
Luiz,

Would you please run the below command from an OS X workstation's terminal
to test look-up/caching of groups? If it displays a gid then we know the
issue isn't LDAP mapping.

dscacheutil -q group -a name *yourGroupName*


On Tue, Jul 25, 2017 at 11:30 AM, Luiz Garrido ALKEMY X via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Our setup is really close to this how-to:
>
> http://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_
> for_Mac_OS_X_10.12
>
> Just a little different because this didn't exist when we did the
> configuration. But even if you follow that, users on Mac are not getting
> IPA groups and without correct groups, ALCs are not working for those
> workstations.
>
>
>
> Luiz
>
>
>
>
> On 07/25/2017 10:36 AM, Grant Janssen wrote:
>
> Luiz
>
> Oh yes, I had this problem.  But getting functionality on OS-X was not a 
> simple matter.
> Do you have documentation on how you got there?
>
> - grant
>
>
>
>
> On Jul 24, 2017, at 14:16, Luiz Garrido ALKEMY X via FreeIPA-users 
>   
> wrote:
>
> Hi,
>
> We have an environment with mixed OSX and CentOS computers and IPA is
> working great for almost everything.
>
> The only problem that we have (besides the known ones) is that the IPA
> user logged to an OSX computer is not getting group information. Logged
> to a CentOS, the `id` command shows all the groups assigned to the user
> but running the same command on an OSX under the same user, the groups
> are different, mainly Apple groups and not our IPA groups. Does anyone
> had this problem?
>
> So, because of this, ACL permissions on our NFS server is not working
> for OSX machines, but are working great for CentOS ones.
>
> Thanks!
>
> Luiz Garrido
>
> This e-mail and any attachments are intended only for use by the addressee(s) 
> named herein and may contain confidential information. If you are not the 
> intended recipient of this e-mail, you are hereby notified any dissemination, 
> distribution or copying of this email and any attachments is strictly 
> prohibited. If you receive this email in error, please immediately notify the 
> sender by return email and permanently delete the original, any copy and any 
> printout thereof. The integrity and security of e-mail cannot be guaranteed.
>
>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>


-- 

*Jason Sherrill*
*IT Specialist*
Deeplocal Inc. 
mobile: 412-636-2073 <(412)%20636-2073>
office: 412-362-0201 <(412)%20362-0201>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: OSX (El Capitan) - FreeIPA

2017-07-26 Thread Luiz Garrido ALKEMY X via FreeIPA-users
Our setup is really close to this how-to:

http://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_for_Mac_OS_X_10.12

Just a little different because this didn't exist when we did the 
configuration. But even if you follow that, users on Mac are not getting IPA 
groups and without correct groups, ALCs are not working for those workstations.


Luiz



On 07/25/2017 10:36 AM, Grant Janssen wrote:

Luiz

Oh yes, I had this problem.  But getting functionality on OS-X was not a simple 
matter.
Do you have documentation on how you got there?

- grant





On Jul 24, 2017, at 14:16, Luiz Garrido ALKEMY X via FreeIPA-users 

 wrote:

Hi,

We have an environment with mixed OSX and CentOS computers and IPA is
working great for almost everything.

The only problem that we have (besides the known ones) is that the IPA
user logged to an OSX computer is not getting group information. Logged
to a CentOS, the `id` command shows all the groups assigned to the user
but running the same command on an OSX under the same user, the groups
are different, mainly Apple groups and not our IPA groups. Does anyone
had this problem?

So, because of this, ACL permissions on our NFS server is not working
for OSX machines, but are working great for CentOS ones.

Thanks!

Luiz Garrido


This e-mail and any attachments are intended only for use by the addressee(s) 
named herein and may contain confidential information. If you are not the 
intended recipient of this e-mail, you are hereby notified any dissemination, 
distribution or copying of this email and any attachments is strictly 
prohibited. If you receive this email in error, please immediately notify the 
sender by return email and permanently delete the original, any copy and any 
printout thereof. The integrity and security of e-mail cannot be guaranteed.


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: OSX (El Capitan) - FreeIPA

2017-07-25 Thread Jason Sherrill via FreeIPA-users
Hi Luiz,

Would you please verify your settings in:
System Preferences > Users & Groups > Login Options > Network Account
Server > Directory Utility > Services > LDAP > Your LDAP server > Search &
Mappings
There should be a Record Type called 'Groups' with an attribute
'PrimaryGroupID' that is mapped to 'gidNumber.'


On Mon, Jul 24, 2017 at 5:16 PM, Luiz Garrido ALKEMY X via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi,
>
> We have an environment with mixed OSX and CentOS computers and IPA is
> working great for almost everything.
>
> The only problem that we have (besides the known ones) is that the IPA
> user logged to an OSX computer is not getting group information. Logged
> to a CentOS, the `id` command shows all the groups assigned to the user
> but running the same command on an OSX under the same user, the groups
> are different, mainly Apple groups and not our IPA groups. Does anyone
> had this problem?
>
> So, because of this, ACL permissions on our NFS server is not working
> for OSX machines, but are working great for CentOS ones.
>
>
> Thanks!
>
> Luiz Garrido
>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>



-- 

*Jason Sherrill*
*IT Specialist*
Deeplocal Inc. 
mobile: 412-636-2073 <(412)%20636-2073>
office: 412-362-0201 <(412)%20362-0201>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org