On Thu, Mar 11, 2021 at 02:53:27AM -0000, Lachlan Musicman via FreeIPA-users wrote: > Can I please get clarification on a FreeIPA instance (as IdM in RHEL8.3) and > AD's POSIX attributes? > > From what I can see, the POSIX attributes - are ignored? > > Specifically, when I run > > $ id u...@ad.domain.com > $ id -u u...@ad.domain.com > $ id -g u...@ad.domain.com > > The POSIX attribute values are not being returned. I am getting a correct > list of AD groups etc, which is great. But no POSIX attributes. Do I need to > explicitly request those attributes? > > I note that there is an article from 2017 (1) "Configuring an Active > Directory Domain with POSIX Attributes" which declares itself deprecated for > (2) "Chapter 8. Using ID Views in Active Directory Environments", which is > RHEL7. From what I can see both of these are about direct attachment to AD > rather than for use in an IPA instance (although they reference IdM) > > It looks like AD side POSIX attributes are only available to direct > integration and even then only when specifically installed with realm (direct > integration) and --automatic-id-mapping=no (3)
Hi, FreeIPA currently allows to different idrange types when creating a trust 'ipa-ad-trust-posix' and 'ipa-ad-trust'. With the first FreeIPA will use the Posix IDs stored in AD while the latter will automatically create UIDs and GIDs for AD users and groups. HTH bye, Sumit > > > (1) https://access.redhat.com/articles/3023821 > (2) > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/id-views > (3) > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory#using-posix-attributes-defined-in-active-directory_connecting-directly-to-ad > > > Cheers > L. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure