Bug 1311502
| Summary: | [RFE] compat tree: show AD members of IPA groups | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Kurik <jkurik> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 7.3 | CC: | abokovoy, bobby.prins, dpal, ekeck, enewland, jbaird, jcholast, ksiddiqu, mkosek, mvarun, nsoman, pvoborni, rcritten, sumenon, wdh |
| Target Milestone: | rc | Keywords: | FutureFeature, ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.2.0-15.el7_2.9 | Doc Type: | Enhancement |
| Doc Text: |
The Schema Compatibility plug-in did not expose users from a trusted Active Directory (AD) forest as part of IdM groups even if the group membership was defined in IdM. This prevented legacy clients from subjecting AD users to sudo rules and group-restricting access rules. External members of IdM groups are now resolved and their information exported to the plug-in, thus improving compatibility with legacy clients.
|
Story Points: | --- |
| Clone Of: | 1301901 | Environment: | |
| Last Closed: | 2016-05-12 09:58:44 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1301901 | ||
| Bug Blocks: | |||
|
Description
Jan Kurik
2016-02-24 11:40:52 UTC
Verified using ipa-server-4.2.0-15.el7_2.10.x86_64 sssd-1.13.0-40.el7_2.2.x86_64 ===IPA Server=== 1. Created Global Security Group added members from parent domain. [root@host2 ~]# getent group group1 group1:*:760201726:user2,user1 2. Created Global Security Group added members from child domain. [root@host2 ~]# getent group group2.qe group2.qe:*:1269801135:user4.qe,user3.qe 3. Created Universal Security Group and added members from parent/child domain. [root@host2 ~]# getent group universal1 universal1:*:760201725:user3.qe,user1 4. Created Universal Security Group and added members from parent/child domain. [root@host2 ~]# getent group universe2.qe universe2.qe:*:1269801136:user4.qe,user2 5. After removing user from group, found that getent group is also updated. a. After removing user3.qe from universal1 group [root@host2 ~]# getent group universal1 universal1:*:760201725:user1 b. After removing user2 from universe2.qe group [root@host2 ~]# getent group universe2.qe universe2.qe:*:1269801136:user4.qe 6. External Group [root@host2 ~]# ipa group-add --external ext_ad_administrators --desc "PNE.QE\Administrators" ----------------------------------- Added group "ext_ad_administrators" ----------------------------------- Group name: ext_ad_administrators Description: PNE.QE\Administrators [root@host2 ~]# ipa group-add-member ext_ad_administrators --external "PNE\Domain Admins" [member user]: [member group]: Group name: ext_ad_administrators Description: PNE.QE\Administrators External member: S-1-5-21-2828791737-1866347024-3967946728-512 ------------------------- Number of members added 1 ------------------------- [root@host2 ~]# ipa group-add ad_administrators ------------------------------- Added group "ad_administrators" ------------------------------- Group name: ad_administrators GID: 967200021 [root@host2 ~]# ipa group-add-member ad_administrators --group ext_ad_administrators Group name: ad_administrators GID: 967200021 Member groups: ext_ad_administrators ------------------------- Number of members added 1 ------------------------- [root@host2 ~]# getent group ad_administrators ad_administrators:*:967200021:Administrator The same output was seen on the IPA-client. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-1036.html |