[Freeipa-users] IPA 3.3.3 in transitive trust and random group assignment

[crony]

Hi List,
On IPA server I added one external group for AD group.

When I log in to IPA client I can see that group:

97687(trustlinuxgroup_from_ad2posix)

 but also I see few different groups came directly from Active Directory
like 127310615(trustlinuxgr...@acme.example.com) or 127200513(domain
us...@acme.example.com):

Afer clearing the cache, the group assignment looks different, few more or
less groups showed by id command.

Do you know the reason? I have no idea what to do with this.

/lm
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA 3.3.3 in transitive trust and random group assignment

[Alexander Bokovoy]

On Thu, 23 Oct 2014, crony wrote:

Hi List,
On IPA server I added one external group for AD group.

When I log in to IPA client I can see that group:

97687(trustlinuxgroup_from_ad2posix)

but also I see few different groups came directly from Active Directory
like 127310615(trustlinuxgr...@acme.example.com) or 127200513(domain
us...@acme.example.com):

Afer clearing the cache, the group assignment looks different, few more or
less groups showed by id command.

Do you know the reason? I have no idea what to do with this.

Prior to SSSD 1.12 full group membership was only retrieved during
actual authentication step. With 1.12.2, I think, we have means to pick
up most of the groups before authentication as well, barring those that
are not valid outside of the domain or forest's use (domain local
groups).

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project