Hola, Centos 7, up to date.
[root@linuxidm ~]# ipa --version VERSION: 4.2.0, API_VERSION: 2.156 One way trust is successfully established, can login with ssh usern...@domain1.com@server1.domain2.com Am testing to get HBAC to work. I've noticed that with the Allow All rule in effect, the following set up is sufficient: add external group "ad_external" add internal group, "ad_internal", add ad_external as a group member of ad_internal AD users can now successfully login to any server. When I tried to set up an HBAC, I couldn't get that set up to work, I needed to complete the extra step of adding AD users explicitly to the "external member" group of the external group. I also note that this seems to be explicitly user based, not group based? IE, I can add lach...@domain1.com to the external members of ad_external and that works, but adding the group server_adm...@domain1.com (as seen in `id lach...@domain1.com`) doesn't allow all members access. Does that sound correct? L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project