To make it work we: - 1) create an external group with the same name as the AD-Group and the external suffix for the AD group web-users (example: ug-web-users-external), the AD group can be seen in the External tab of this group in the Web UI - 2) create a POSIX Group with the name of the AD-Group with no suffix (example: ug-web-users), in that group, the name of the EXTERNAL GROUP can be found in the User Groups tab of the Web-UI, for that group...
Like that it works by following the chain (Posix group, External group, AD group)...
The external groups are AD like groups with Windows settings The POSIX groups are Unix Like groups with the required settings (uid, gid, shell etc... settings)
The chain allows to combine those settings on the same AD user...
Bernard LHEUREUX Linux & System Engineer http://www.win.be
-----Message d'origine----- De : Ronald Wimmer via FreeIPA-users freeipa-users@lists.fedorahosted.org Envoyé : mardi 6 juin 2023 08:47 À : freeipa-users@lists.fedorahosted.org Cc : Ronald Wimmer ronaldw@ronzo.at Objet : [Freeipa-users] Re: AD user does not show up in IPA
On 06.06.23 08:42, Ronald Wimmer via FreeIPA-users wrote:
We do have the problem that a user from an AD group does not show up in IPA whereas all other users of this particular group do. The AD group is used for PAM authorization in Apache.
The AD group is correctly mapped in IPA. However, the AD group is a domain local group. (shouldn't these groups not work at all in combination with IPA?)
The only thing we saw immediately in the log files was "user not known to the underlying PAM module". What else should we look for?
We will, of course, follow the SSSD troubleshooting steps (https://sssd.io/troubleshooting/basics.html ) but we did not have time to do so up to this moment. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
________________________________ 1/Conformément à notre certification ISO 27001, ce message et toute pièce jointe sont la propriété exclusive de Win. L’information contenue dans cet e- mail peut s’avérer confidentielle et dès lors protégée de toute divulgation. Si vous avez reçu cette communication par erreur, veuillez nous en informer immédiatement en répondant à ce message et en le supprimant de votre ordinateur, sans le copier ni le divulguer. 2/L’acceptation de toute offre commerciale (quel qu’en soit le support) emporte l’adhésion aux descriptifs (notamment techniques) inhérents aux solutions offertes, ainsi qu’aux conditions commerciales générales de Win, consultables via https://www.win.be/cgv DISCLAIMER : https://www.win.be/fr-win/disclaimer.htm