Hey All,
I've successfully mapped the nixadmins to the external group
nixadmins_external. However no users in that group make it over to Free
IPA that I can see.
ipa group-add-member nixadmins_external --external "nixadmins"
Windows AD users, 3 of them, are in the windows AD group nixadmins.
However I can't port them over.
These accounts have UNIX attributes assigned to them.
Question that I have and can't find, should I be seeing these users in
the mapped groups above? ( ie within the GUI should I see any users
listed from AD DC in nixadmins or nixadmins_external? )
If there is an issue and I'm just not picking it out from the debug
logs, what to look for? Is there anything more I need to do on the
Windows side that I haven't found on the existing pages?
# ipa group-add-member nixadmins_external --external "nixadmins"
[member user]:
[member group]:
Group name: nixadmins_external
Description: NIX Admins External map
External member: S-1-5-21-3418825849-1633701630-2291579631-1006
Member groups: nixadmins
Member of groups: nixadmins
Indirect Member groups: nixadmins_external
-------------------------
Number of members added 1
-------------------------
#
# ipa trustdomain-find abc.xyz
Domain name: abc.xyz
Domain NetBIOS name: ABC
Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------
#
[realms]
DOM.ABC.XYZ = {
.
.
.
auth_to_local = RULE:[1:$1@$0](^.*@ABC.XYZ$)s/@ABC.XYZ/@abc.xyz/
auth_to_local = DEFAULT
}
# ipa trust-fetch-domains abc.xyz
----------------------------------------------------------------------------------------
List of trust domains successfully refreshed. Use trustdomain-find
command to list them.
----------------------------------------------------------------------------------------
----------------------------
Number of entries returned 0
----------------------------
[root@idmipa01 sssd]# ipa trustdomain-find abc.xyz
Domain name: abc.xyz
Domain NetBIOS name: ABC
Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------
# ipa trust-fetch-domains abc.xyz
----------------------------------------------------------------------------------------
List of trust domains successfully refreshed. Use trustdomain-find
command to list them.
----------------------------------------------------------------------------------------
----------------------------
Number of entries returned 0
----------------------------
#
The following command successfully returns all AD objects under the
Users cn.
# ldapsearch -x -h 192.168.0.3 -D "t...@abc.xyz" -W -b
"cn=users,dc=abc,dc=xyz" -s sub "(cn=*)" cn mail sn
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project