On Tue, Apr 16, 2019 at 11:56:32AM +0200, Ronald Wimmer via FreeIPA-users wrote:
On 16.04.19 11:29, Sumit Bose via FreeIPA-users wrote:
> On Tue, Apr 16, 2019 at 11:12:18AM +0200, Ronald Wimmer via FreeIPA-users wrote:
> > On 16.04.19 10:50, Sumit Bose via FreeIPA-users wrote:
> > > On Tue, Apr 16, 2019 at 09:06:44AM +0200, Ronald Wimmer via FreeIPA-users
> > > > I have managed to login to an IPA client with a non-existing user.
> > > >
> > > > My AD user is z123456(a)addomain.mydomain.at and I have created a
> > > > called i123456(a)ipadomain.mydomain.at. What happened now is that I
> > > > in with the i-User and what I get to see after logging in is this:
> > > >
> > > > [email@example.com(a)as12314 ~]$ id
> > > > uid=1246600007(i123456(a)addomain.mydomain.at)
> > > > gid=1246600007(i123456(a)addomain.mydomain.at)
> > > > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > > > [firstname.lastname@example.org(a)as12314 ~]$ whoami
> > > > i123456(a)addomain.mydomain.at
> > > >
> > > > The user i123456(a)addomain.mydomain.at does NOT exist.
> > > >
> > > > addomain is set as default domain in the client's sssd.conf.
> > > Does this change if you remove the default_domain_suffix option from the
> > > client? Is this option set on the server as well? What is currently
> > > displayed for the user on the server?
> > >
> > > In general default_domain_suffix should not be used anymore, better is
> > > to define a domain lookup order on the IPA server.
> > I could not reproduce it anymore. UID and GID of the user were correct.
> > Maybe I used the POSIX group I mapped to an AD group in an incorrect way.
> > The group had the actual AD group as an external member and I also added the
> > IPA user (i123456) to this exact POSIX group. I bet that it is not
> > recommended to do that?
> Do you mean this group is a POSIX group and an external group at the
> same time? I think this is not recommended(supported?). Please add the
> AD users and groups to external groups and then add the external groups
> to POSIX groups. Nevertheless I think this is not the reason for the
> wrong names you have seen.
No. As the documentation advises I've created an external group that
contains the AD group. After that, I created an IPA (POSIX) group that has
the external group as a member. Additionally, I added an IPA user to that
POSIX group. (Doing that I am mixing AD and IPA users in a group. Is it ok
to do that?)
Yes, since you are not "mixing AD and IPA users in a group" but IPA
users and IPA external groups.
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: