Hi All. We’re attempting to setup an IPA (4.2) service on RHEL7.2 to provide better connectivity to our (large) organisational AD service for Linux clients.
We have setup IPA and configured a suitable AD trust (with SID POSIX mapping) in the hope that users will be able to access IPA resources (hosts, storage) using existing AD credentials and groups. This working fine - we can login to Linux hosts using AD credentials and see the AD groups. However, it would appear that in order to use AD group membership as the basis for Linux HBAC or sudo, we need to firstly _map_ the AD groups to an equivalent IPA (POSIX) group? Is this correct? I can see that it’s possible to define ‘external’ *users* (not groups) in some cases, but this function appears to be deprecated. We have large numbers of groups in our AD (~50k), so obviously that’s a lot of mapping! Regards, Robert. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
