On 2025-04-01 12:25, Alexander Bokovoy wrote:
On Аўт, 01 кра 2025, Jostein Fossheim wrote:
I was not completely able to let this rest, so I dived deeper into
the mystical name-resolving that occurred via powershell.
It turns out that the SID in question has been added to the Foreign
Security Principials subtree in LDAP, but only visible through an
ldap search or ldap browser other than "Active Directory Users and
Computers" ADSI Edit for example. And it turns out that I can
actually create an Domain Local Group, and ad the Foreign Security
Principial to that group via its DN.
And now I have an AD group which contain my IPA-NAS-LDAP\admin user
(and it do actually resolve in the "Active Directory Users and
Computers"-view as well. And this group I can assign other Rights
in my Active Directory. I have only tested with file-services so
far though and I can indeed regulate access control for my
IPA-users, so I am quite satisfied so far
Good, thanks for the investigation.
As you can see on the attached picture, I am actually also able to
log into windows with my IPA-user, when I add my "group" to the
"Allow logon localy" GPO, for domain controllers. I willl dig some
more into the exact reason my user is was added to the "Foreign
Security Principials"-container.
I'm sure most of things will work once you added the SID to corresponding
ACLs. That's expected. Most of problems I've encountered are related to
how Windows UI is unable to discover the user/group names in those
tools to be able to convert those names (later) to SIDs. So once you
added the SID to an ACL, SID will be used correctly.
For users actual issue is that Windows UI cannot look those users up
properly. And fixing all edge cases is not always possible.
That is understandable, I understand that is not an universal solution
for very large/complex environments, but for the few windows
servers/resources we are managing, this approach seems to potentially
solve everything that is need.
It might be valuable for others as well. And the user seems to resolve
everywhere I look in the UI now. For example in the File system ACLs,
for the local profile-folder. But probably not searchable.
I will keep digging more, and report back when I have gotten even more
to the bottom of this.
--
Vennlig Hilsen
Jostein Fossheim
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
