We have a trust between the ipa domain (ipa.mydomain.at) and some AD domain (windows.mydomain.at).
A user 'userxy' exists in both domains.
userxy@windows.mydomain.at is not mapped into IPA as described in https://access.redhat.com/solutions/1506103
ipadomainresolutionorder is set to windows.mydomain.at,ipa.mydomain.at,someotherdomain.mydomain.at
Should userxy@windows.mydomain.at be visible (getent passwd, id) in IPA or not? (because it is and I did not expect this)
Cheers, Ronald
On Wed, Mar 5, 2025 at 6:16 PM Ronald Wimmer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
We have a trust between the ipa domain (ipa.mydomain.at) and some AD domain (windows.mydomain.at).
A user 'userxy' exists in both domains.
userxy@windows.mydomain.at is not mapped into IPA as described in https://access.redhat.com/solutions/1506103
ipadomainresolutionorder is set to windows.mydomain.at,ipa.mydomain.at,someotherdomain.mydomain.at
Should userxy@windows.mydomain.at be visible (getent passwd, id) in IPA or not? (because it is and I did not expect this)
Once you have a trust between IPA and AD yes, the user is visible in IPA.
Below is some output from a machine with only the one-way trust set:
```[root@server-trust /]# ipa idoverrideuser-find "Default Trust View" --------------------------- 0 User ID overrides matched --------------------------- ---------------------------- Number of entries returned 0 ---------------------------- [root@server-trust /]# ipa user-find -------------- 1 user matched -------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Principal alias: admin@LINUX.IPA.TEST, root@LINUX.IPA.TEST UID: 60000 GID: 60000 Account disabled: False ---------------------------- Number of entries returned 1 ---------------------------- [root@server-trust /]# getent passwd jdoe@ad.ipa.test jdoe@ad.ipa.test:*:1499401108:1499401108:John Doe:/home/ad.ipa.test/jdoe: ```
HTH,
Rafael
Cheers, Ronald -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
-- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat
Am Wed, Mar 05, 2025 at 10:16:08PM +0100 schrieb Ronald Wimmer via FreeIPA-users:
We have a trust between the ipa domain (ipa.mydomain.at) and some AD domain (windows.mydomain.at).
A user 'userxy' exists in both domains.
userxy@windows.mydomain.at is not mapped into IPA as described in https://access.redhat.com/solutions/1506103
Hi,
please note that the solution above is about adding(mapping) AD user to IPA groups so that they are members of those groups. This is unrelated to the general visibility of the user. Without the mapping the user will just be member of its AD groups which is fine.
HTH
bye, Sumit
ipadomainresolutionorder is set to windows.mydomain.at,ipa.mydomain.at,someotherdomain.mydomain.at
Should userxy@windows.mydomain.at be visible (getent passwd, id) in IPA or not? (because it is and I did not expect this)
Cheers, Ronald -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
freeipa-users@lists.fedorahosted.org
-
Rafael Jeffman -
Ronald Wimmer -
Sumit Bose