On Tue, Apr 16, 2019 at 11:12:18AM +0200, Ronald Wimmer via FreeIPA-users wrote:
On 16.04.19 10:50, Sumit Bose via FreeIPA-users wrote:
> On Tue, Apr 16, 2019 at 09:06:44AM +0200, Ronald Wimmer via FreeIPA-users wrote:
> > I have managed to login to an IPA client with a non-existing user.
> >
> > My AD user is z123456(a)addomain.mydomain.at and I have created a similar user
> > called i123456(a)ipadomain.mydomain.at. What happened now is that I could log
> > in with the i-User and what I get to see after logging in is this:
> >
> > [i123456@addomain.mydomain.at(a)as12314 ~]$ id
> > uid=1246600007(i123456(a)addomain.mydomain.at)
> > gid=1246600007(i123456(a)addomain.mydomain.at)
groups=1246600007(i123456@addomain.mydomain.at),1246600016(my-ad-group(a)ipadomain.mydomain.at)
> > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > [i123456@addomain.mydomain.at(a)as12314 ~]$ whoami
> > i123456(a)addomain.mydomain.at
> >
> > The user i123456(a)addomain.mydomain.at does NOT exist.
> >
> > addomain is set as default domain in the client's sssd.conf.
> Does this change if you remove the default_domain_suffix option from the
> client? Is this option set on the server as well? What is currently
> displayed for the user on the server?
>
> In general default_domain_suffix should not be used anymore, better is
> to define a domain lookup order on the IPA server.
I could not reproduce it anymore. UID and GID of the user were correct.
Maybe I used the POSIX group I mapped to an AD group in an incorrect way.
The group had the actual AD group as an external member and I also added the
IPA user (i123456) to this exact POSIX group. I bet that it is not
recommended to do that?
Do you mean this group is a POSIX group and an external group at the
same time? I think this is not recommended(supported?). Please add the
AD users and groups to external groups and then add the external groups
to POSIX groups. Nevertheless I think this is not the reason for the
wrong names you have seen.
Where should the domain lookup order on the IPA servers be specified?
ipa config-mod --domain-resolution-order=......
bye,
Sumit
>
> Cheers,
> Ronald
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...