在 FreeIPA 中，如何使用 CLI 將多個外部帳戶添加到組中？

我嘗試了多種似乎不起作用的方法，但我最終嘗試使用該ipa group-add-member ...命令將多個外部使用者添加到非 POSIX 組。

**注意：**這些外部使用者是通過對 Active Directory 環境的信任進入的。

用法

$ ipa -v help group-add-member
Usage: ipa [global-options] group-add-member GROUP-NAME [options]

Add members to a group.
Options:
 -h, --help      show this help message and exit
 --external=STR  Members of a trusted domain in DOM\name or name@domain form
 --all           Retrieve and print all attributes from the server. Affects
                 command output.
 --raw           Print entries as stored on the server. Only affects output
                 format.
 --no-members    Suppress processing of membership attributes.
 --users=STR     users to add
 --groups=STR    groups to add

我正在嘗試做的事情

$ ipa -n group-add-member ad_users_external \
    --external="user1@AD.mydom.com,user2@AD.mydom.com"

 Group name: ad_users_external
 Description: External group of admins from AD
 External member: S-2-3-12-1396123456-1786123456-1027123456-123456
 Member of groups: ad_users
 Failed members:
   member user:
   member group: user1@AD.mydom.com,user2@AD.mydom.com: invalid 'trusted domain object': Ambiguous search, user domain was not specified
-------------------------
Number of members added 0
-------------------------

如果您查看 CLI 工具的手冊頁，ipa則有一些範例顯示瞭如何完成此操作，儘管不是直接使用add-group-members子命令。

手冊頁

 ipa group-add-member bar --users={admin,foo}
         Add users "admin" and "foo" to the group "bar". This approach depends on shell expansion feature.

--external因此，您需要使用花括號和逗號將使用者列表傳遞給交換機。

例子

$ ipa -n group-add-member ad_users_external \
    --external={user1@AD.mydom.com,user2@AD.mydom.com}

 Group name: ad_users_external
 Description: External group of admins from AD
 External member: S-1-5-21-1396123456-17861234567-1027123456-123456, S-1-5-21-1396123456-1786123456-1027123456-123456
 Member of groups: ad_users
-------------------------
Number of members added 2
-------------------------

引用自：https://serverfault.com/questions/882670