Product SiteDocumentation Site

8.5. Creating FreeIPA Groups for Active Directory Users

User groups are required to set access permissions, host-based access control, sudo rules, and other controls on FreeIPA users. These groups are what grant access to FreeIPA domain resources, as well as restricting access.
However, Active Directory users cannot be added directly to FreeIPA user groups. This means that Active Directory users require special configuration in order to access FreeIPA domain resources.
As described in Section 8.1.1.4, “Kerberos Realms, Authentication, and Authorization”, Active Directory users are added to the FreeIPA domain in a kind of daisy chain. They are added to a group on the Active Directory side, then that group is added to a FreeIPA external group (meaning, a non-POSIX group), and then that external group is added to a local POSIX group as a member. The FreeIPA POSIX group can then be used for user/role management of Active Directory users.
  1. Create or select the group in the Active Directory domain to use to manage Active Directory users in the FreeIPA realm. (Multiple groups can be used and added to different groups on the FreeIPA side.)
  2. Create an external group in the FreeIPA domain for the Active Directory users. This correlates to the Active Directory group. Using the --external argument indicates that this group will contain members from outside the FreeIPA domain. For example:
    [root@ipaserver ~]# ipa group-add --desc='AD users external map' ad_users_external --external
    -------------------------------
    Added group "ad_users_external"
    -------------------------------
      Group name: ad_users_external
      Description: AD users external map
  3. Create the POSIX group for actually administering the FreeIPA policies.
    [root@ipaserver ~]# ipa group-add --desc='AD users' ad_users
    ----------------------
    Added group "ad_users"
    ----------------------
      Group name: ad_users
      Description: AD users
      GID: 129600004
  4. Add the Active Directory group to the FreeIPA external group as an external member. The Active Directory group is identified by the name DOMAIN\group_name. The group name is then mapped to the Active Directory SID for the group. For example:
    [root@ipaserver ~]# ipa group-add-member ad_users_external --external "AD\Domain Users"
     [member user]: 
     [member group]: 
      Group name: ad_users_external
      Description: AD users external map
      External member: S-1-5-21-3655990580-1375374850-1633065477-513 SID_DOM_GROUP (2)
    -------------------------
    Number of members added 1
    -------------------------
  5. Add the external FreeIPA group to the POSIX FreeIPA group as a member. For example:
    [root@ipaserver ~]# ipa group-add-member ad_users --groups ad_users_external
      Group name: ad_users
      Description: AD users
      GID: 129600004
      Member groups: ad_users_external
    -------------------------
    Number of members added 1
    -------------------------