Re: [Freeipa-users] Default domain for AD groups

2017-02-24 Thread Hanoz Elavia 
Thanks Alexander!!


On Fri, Feb 24, 2017 at 6:04 AM, Alexander Bokovoy 
wrote:

> On to, 23 helmi 2017, Hanoz Elavia wrote:
>
>> Hello,
>>
>> My FreeIPA clients and server are setup to use the AD domain as the
>> default. This is done using the default_domain_suffix parameter in the
>> sssd
>> section of the sssd.conf file.
>>
>> This works fine for users when we use ldapsearch but not so much for
>> groups. For e.g.:
>>
>> ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b
>> 'cn=compat,dc=ipa,dc=server,dc=com' -D
>> 'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' '(cn=
>> domaingr...@server.com)'
>>
>> works fine but
>>
>> ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b
>> 'cn=compat,dc=ipa,dc=server,dc=com' -D
>> 'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com'
>> '(cn=domaingroup)'
>>
>> won't work. However, the above will work fine for users. I'm using the
>>
> No, compat tree is designed to be used with fully-qualified groups and
> users. There is no way around it.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Default domain for AD groups

2017-02-23 Thread Alexander Bokovoy 

On to, 23 helmi 2017, Hanoz Elavia wrote:

Hello,

My FreeIPA clients and server are setup to use the AD domain as the
default. This is done using the default_domain_suffix parameter in the sssd
section of the sssd.conf file.

This works fine for users when we use ldapsearch but not so much for
groups. For e.g.:

ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b
'cn=compat,dc=ipa,dc=server,dc=com' -D
'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' '(cn=
domaingr...@server.com)'

works fine but

ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b
'cn=compat,dc=ipa,dc=server,dc=com' -D
'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com'
'(cn=domaingroup)'

won't work. However, the above will work fine for users. I'm using the

No, compat tree is designed to be used with fully-qualified groups and
users. There is no way around it.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Default domain for AD groups

2017-02-23 Thread Hanoz Elavia 
Hello,

My FreeIPA clients and server are setup to use the AD domain as the
default. This is done using the default_domain_suffix parameter in the sssd
section of the sssd.conf file.

This works fine for users when we use ldapsearch but not so much for
groups. For e.g.:

ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b
'cn=compat,dc=ipa,dc=server,dc=com' -D
'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' '(cn=
domaingr...@server.com)'

works fine but

ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b
'cn=compat,dc=ipa,dc=server,dc=com' -D
'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com'
'(cn=domaingroup)'

won't work. However, the above will work fine for users. I'm using the
following:

AD: Windows 2008 R2
FreeIPA Server: 4.4.0-14
FreeIPA Client: 4.4.0-14
SSSD: 1.14.0-43
Linux version: CentOS 7.3 x64_86

The AD trust is setup with --enable-compat.

Regards,

Hanoz
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project