On 12/2/2016 8:43 AM, Sumit Bose wrote:
On Fri, Dec 02, 2016 at 08:30:28AM -0500, TomK wrote:
Hey All,
I've successfully mapped the nixadmins to the external group
nixadmins_external. However no users in that group make it over to Free IPA
that I can see.
ipa group-add-member nixadmins_external --external "nixadmins"
Windows AD users, 3 of them, are in the windows AD group nixadmins. However
I can't port them over.
These accounts have UNIX attributes assigned to them.
Question that I have and can't find, should I be seeing these users in the
mapped groups above? ( ie within the GUI should I see any users listed from
AD DC in nixadmins or nixadmins_external? )
no, the GUI won't show them. Calling 'id user_from_nixadmins@ad.domain'
should show that nixadmins_external is a member of that group. With
recent version of SSSD 'getent group nixadmins_external' should list the
users from nixadmins as well, older versions might miss them.
HTH
bye,
Sumit
If there is an issue and I'm just not picking it out from the debug logs,
what to look for? Is there anything more I need to do on the Windows side
that I haven't found on the existing pages?
# ipa group-add-member nixadmins_external --external "nixadmins"
[member user]:
[member group]:
Group name: nixadmins_external
Description: NIX Admins External map
External member: S-1-5-21-3418825849-1633701630-2291579631-1006
Member groups: nixadmins
Member of groups: nixadmins
Indirect Member groups: nixadmins_external
-------------------------
Number of members added 1
-------------------------
#
# ipa trustdomain-find abc.xyz
Domain name: abc.xyz
Domain NetBIOS name: ABC
Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------
#
[realms]
DOM.ABC.XYZ = {
.
.
.
auth_to_local = RULE:[1:$1@$0](^.*@ABC.XYZ$)s/@ABC.XYZ/@abc.xyz/
auth_to_local = DEFAULT
}
# ipa trust-fetch-domains abc.xyz
----------------------------------------------------------------------------------------
List of trust domains successfully refreshed. Use trustdomain-find command
to list them.
----------------------------------------------------------------------------------------
----------------------------
Number of entries returned 0
----------------------------
[root@idmipa01 sssd]# ipa trustdomain-find abc.xyz
Domain name: abc.xyz
Domain NetBIOS name: ABC
Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------
# ipa trust-fetch-domains abc.xyz
----------------------------------------------------------------------------------------
List of trust domains successfully refreshed. Use trustdomain-find command
to list them.
----------------------------------------------------------------------------------------
----------------------------
Number of entries returned 0
----------------------------
#
The following command successfully returns all AD objects under the Users
cn.
# ldapsearch -x -h 192.168.0.3 -D "t...@abc.xyz" -W -b
"cn=users,dc=abc,dc=xyz" -s sub "(cn=*)" cn mail sn
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Nothing:
# id t...@abc.xyz
id: t...@abc.xyz: no such user
# getent group nixadmins_external
# getent group nixadmins
nixadmins:*:1746600012:
#
I'll enable debug logging to determine further.
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
