On 16.04.19 11:29, Sumit Bose via FreeIPA-users wrote:
On Tue, Apr 16, 2019 at 11:12:18AM +0200, Ronald Wimmer via
> On 16.04.19 10:50, Sumit Bose via FreeIPA-users wrote:
>> On Tue, Apr 16, 2019 at 09:06:44AM +0200, Ronald Wimmer via FreeIPA-users wrote:
>>> I have managed to login to an IPA client with a non-existing user.
>>> My AD user is z123456(a)addomain.mydomain.at and I have created a similar user
>>> called i123456(a)ipadomain.mydomain.at. What happened now is that I could log
>>> in with the i-User and what I get to see after logging in is this:
>>> [firstname.lastname@example.org(a)as12314 ~]$ id
>>> [email@example.com(a)as12314 ~]$ whoami
>>> The user i123456(a)addomain.mydomain.at does NOT exist.
>>> addomain is set as default domain in the client's sssd.conf.
>> Does this change if you remove the default_domain_suffix option from the
>> client? Is this option set on the server as well? What is currently
>> displayed for the user on the server?
>> In general default_domain_suffix should not be used anymore, better is
>> to define a domain lookup order on the IPA server.
> I could not reproduce it anymore. UID and GID of the user were correct.
> Maybe I used the POSIX group I mapped to an AD group in an incorrect way.
> The group had the actual AD group as an external member and I also added the
> IPA user (i123456) to this exact POSIX group. I bet that it is not
> recommended to do that?
Do you mean this group is a POSIX group and an external group at the
same time? I think this is not recommended(supported?). Please add the
AD users and groups to external groups and then add the external groups
to POSIX groups. Nevertheless I think this is not the reason for the
wrong names you have seen.
No. As the documentation advises I've created an external group that
contains the AD group. After that, I created an IPA (POSIX) group that
has the external group as a member. Additionally, I added an IPA user to
that POSIX group. (Doing that I am mixing AD and IPA users in a group.
Is it ok to do that?)