Users created by default in IPAv3 don't belong to any POSIX group other than UPG. It means they don't have SID assigned to their primary group. Additionally, primary group fallback is not defined in the domain object.
Primary group fallback SID needs to be defined and as one of options 'ipausers' group should get Domain Users SID set to it.
As ipausers group is not POSIX group, we'll not use it. Instead we'll create a POSIX group explicitly named as to avoid putting anything in it. This group will get 'Domain Users' SID (-513) assigned and will be used as a primary group fallback.
We want to avoid putting users in such group because unrolling it will incur big processing and this is what we wanted to avoid with ipausers group being non-POSIX.
ipa-kdb driver and ipa-sam passdb module will need to take care of the group fallback.
master: f5e839e
ipa-3-0: 3ab542a
master: fdd3299
ipa-3-0: 380b27b
Rename "trusts" component to "Trusts" to achieve correct sorting.
Metadata Update from @abbra: - Issue assigned to sbose - Issue set to the milestone: FreeIPA 3.0 RC2
Login to comment on this ticket.