On Аўт, 01 кра 2025, Jostein Fossheim wrote:
I was not completely able to let this rest, so I dived deeper into
the mystical name-resolving that occurred via powershell.
It turns out that the SID in question has been added to the
Foreign Security Principials subtree in LDAP, but only visible
through an ldap search or ldap browser other than "Active
Directory Users and Computers" ADSI Edit for example. And it turns
out that I can actually create an Domain Local Group, and ad the
Foreign Security Principial to that group via its DN.
And now I have an AD group which contain my IPA-NAS-LDAP\admin
user (and it do actually resolve in the "Active Directory Users
and Computers"-view as well. And this group I can assign other
Rights in my Active Directory. I have only tested with
file-services so far though and I can indeed regulate access
control for my IPA-users, so I am quite satisfied so far
Good, thanks for the investigation.
As you can see on the attached picture, I am actually also able to log
into windows with my IPA-user, when I add my "group" to the "Allow
logon localy" GPO, for domain controllers. I willl dig some more into
the exact reason my user is was added to the "Foreign Security
Principials"-container.
I'm sure most of things will work once you added the SID to corresponding
ACLs. That's expected. Most of problems I've encountered are related to
how Windows UI is unable to discover the user/group names in those
tools to be able to convert those names (later) to SIDs. So once you
added the SID to an ACL, SID will be used correctly.
For users actual issue is that Windows UI cannot look those users up
properly. And fixing all edge cases is not always possible.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
