我尝试了多种似乎不起作用的方法,但我最终尝试使用该ipa group-add-member ...命令将多个外部用户添加到非 POSIX 组。
笔记:这些外部用户通过与 Active Directory 环境的信任进入。
用法
$ ipa -v help group-add-member
Usage: ipa [global-options] group-add-member GROUP-NAME [options]
Add members to a group.
Options:
-h, --help show this help message and exit
--external=STR Members of a trusted domain in DOM\name or name@domain form
--all Retrieve and print all attributes from the server. Affects
command output.
--raw Print entries as stored on the server. Only affects output
format.
--no-members Suppress processing of membership attributes.
--users=STR users to add
--groups=STR groups to add
我正在尝试做什么
$ ipa -n group-add-member ad_users_external \
--external="[email protected],[email protected]"
Group name: ad_users_external
Description: External group of admins from AD
External member: S-2-3-12-1396123456-1786123456-1027123456-123456
Member of groups: ad_users
Failed members:
member user:
member group: [email protected],[email protected]: invalid 'trusted domain object': Ambiguous search, user domain was not specified
-------------------------
Number of members added 0
-------------------------
答案1
如果您查看 CLI 工具的手册页,ipa会发现一些示例展示了如何实现这一点,尽管不是直接使用add-group-members子命令。
手册页
ipa group-add-member bar --users={admin,foo}
Add users "admin" and "foo" to the group "bar". This approach depends on shell expansion feature.
--external因此您需要使用花括号和逗号将用户列表传递给交换机。
例子
$ ipa -n group-add-member ad_users_external \
--external={[email protected],[email protected]}
Group name: ad_users_external
Description: External group of admins from AD
External member: S-1-5-21-1396123456-17861234567-1027123456-123456, S-1-5-21-1396123456-1786123456-1027123456-123456
Member of groups: ad_users
-------------------------
Number of members added 2
-------------------------