On Mon, 27 Apr 2015, Zach McNeilly wrote:
Hi all,
First I'd like to say thank you for the fantastic product. We've been
using FreeIPA since v 1 and it's been fantastic.
Recently we've hit a slight snag, however. We used this document
(https://www.freeipa.org/page/Windows_authentication_against_FreeIPA)
to setup Windows to use FreeIPA for it's back end authentication. This
works really well and we are really happy with it.
You know that it is not a supported configuration, right?
To integrate a CIFS server with FreeIPA we ran 'ipa-adtrust-install'
on our FreeIPA servers, this added several attributes to every user as
expected. However, now when users try to log on to a Windows machine
with their FreeIPA credentials they can log on but they are no longer
in any Windows groups (Administrators or Remote Desktop Users in this
case). This was working before running ipa-adtrust-install.
If you remove the following attributes from the user Windows works
again but samba no longer does:
objectclass=ipantuserattrs
ipantsecurityidentifier=SID
I've been banging my head against the wall on this for a while, and
can't seem to get everything to mesh. Can anyone make any
recommendations?
I don't think we can do anything here. Windows takes list of SIDs from
Kerberos ticket's MS-PAC which is filled by IPA KDC. The format of
MS-PAC includes group list in form of RIDs, i.e. relative identifiers,
relative to the domain SID.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
