On Tue, 06 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
We do have the problem that a user from an AD group does not show up in IPA whereas all other users of this particular group do. The AD group is used for PAM authorization in Apache.
The AD group is correctly mapped in IPA. However, the AD group is a domain local group. (shouldn't these groups not work at all in combination with IPA?)
They should not.
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-authsod/597...
--------- Domain local groups: These groups can contain members from any trusted domain, but are granted permissions only to resources in their own domain. A domain administrator can create a domain local group for each resource that exists within a domain, such as file shares or printers, and then add the appropriate global groups from each domain to this domain local group. The domain administrator then assigns the appropriate permissions for the resources to the domain local group. ---------
We have https://pagure.io/freeipa/issue/6947 to prevent them from even being specified when mapping groups but this is not something we can do without SSSD giving us this information. They currently don't provide this detail.
The only thing we saw immediately in the log files was "user not known to the underlying PAM module". What else should we look for?
Don't use domain local groups from a trusted forest's domains to make decisions on access to resources in IPA. Use any of universal or domain global groups.