Hello everybody,
Can anyone explain which attribute is used to lookup/resolve group names in AD ? As far as I can see on my ipa clients, it seems to use sAMAccountName . Is that correct ?
Am Wed, Jun 30, 2021 at 09:08:59AM -0000 schrieb iulian roman via FreeIPA-users:
Hello everybody,
Can anyone explain which attribute is used to lookup/resolve group names in AD ? As far as I can see on my ipa clients, it seems to use sAMAccountName . Is that correct ?
Hi,
IPA clients will ask IPA server for AD users and groups and the IPA servers by default use the 'sAMAccountName' attribute for names of users and groups (see my other email on this list as well).
bye, Sumit
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Hi Sumit,
Thank you for the answer. In that case probably I am in the right direction for finding the issue with the overrides: In AD , the 'User logon name (pre-Windows 2000)' and 'Group name (pre-Windows 2000)' are the corespondent of 'sAMAccountName' . 'sAMAccountName' should be unique afaik, therefore we cannot have a User name and Group name with the same 'sAMAccountName' (although they can have the same cn or "name" attribute).
If that is the case, how does the override work when it search for the primary group name, taking into consideration that we cannot have 2 similar 'sAMAccountName' in AD (because a requirement for group override is to have "an existing AD group name") ?
freeipa-users@lists.fedorahosted.org