我已经尝试了多种方法看起来不起作用,但我最终试图使用ipa group-add-member ...命令将多个外部用户添加到非POSIX组。
注意:这些外部用户通过信任与Active Directory环境进来。
$ ipa -v help group-add-member Usage: ipa [global-options] group-add-member GROUP-NAME [options] Add members to a group. Options: -h, --help show this help message and exit --external=STR Members of a trusted domain in DOM\name or name@domain form --all Retrieve and print all attributes from the server. Affects command output. --raw Print entries as stored on the server. Only affects output format. --no-members Suppress processing of membership attributes. --users=STR users to add --groups=STR groups to add
$ ipa -n group-add-member ad_users_external \ --external="[email protected],[email protected]" Group name: ad_users_external Description: External group of admins from AD External member: S-2-3-12-1396123456-1786123456-1027123456-123456 Member of groups: ad_users Failed members: member user: member group: [email protected],[email protected]: invalid 'trusted domain object': Ambiguous search, user domain was not specified ------------------------- Number of members added 0 -------------------------
如果您查看CLI工具ipa的手册页,有一些示例显示如何完成此操作,但不直接使用add-group-members子命令。
ipa group-add-member bar --users={admin,foo} Add users "admin" and "foo" to the group "bar". This approach depends on shell expansion feature.
所以你需要使用大括号和逗号将用户列表传递给--external开关。
$ ipa -n group-add-member ad_users_external \ --external={[email protected],[email protected]} Group name: ad_users_external Description: External group of admins from AD External member: S-1-5-21-1396123456-17861234567-1027123456-123456, S-1-5-21-1396123456-1786123456-1027123456-123456 Member of groups: ad_users ------------------------- Number of members added 2 -------------------------