On Thu, Apr 23, 2020 at 8:47 AM Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
Domain local groups are not visible through the forest trust, so they
cannot
be used in FreeIPA for access control means.
Global groups can be used if they are security groups and not just
distribution groups.
aha, thanks for this piece of information, I could not find it on the
documentation (which is probably my entire fault ;-) ).
Is this the reason why?
https://docs.microsoft.com/en-us/windows/win32/ad/group-objects
In that document, in the scope part:
group scope group can be assigned
permission in
----------------
-------------------------------------------------
universal any domain or forest
global Member permissions can be
assigned in any domain
domain local Member permissions can be
assigned only within the same domain as the parent domain local group
Is this the technical reason the Idm trusting forest cannot see the domain
local groups? So we require global or universal groups?
I need to justify some stuff to our AD people, that's why I ask ;-)
Thanks in advance.
--
Groeten,
natxo