On Срд, 09 жні 2023, Sameer Gurung wrote:
On Mon, 31 Jul, 2023, 12:53 Alexander Bokovoy, <[email protected]> wrote:
On Пан, 31 ліп 2023, Sameer Gurung via FreeIPA-users wrote:
>On Sun, Jul 30, 2023 at 10:20 PM Ronald Wimmer via FreeIPA-users <
>[email protected]> wrote:
>
>> The referenced thread is about merging local and IPA groups. Not
>> explicitly about the direction.
>>
>> Cheers,
>> Ronald
>>
>I dont quite follow. I have added a docker group to freeipa with the
>--external option. Then added my AD user to this group.. this works fine.
>However at the client group merging does not take place. the AD user is
not
>added to the local docker group of the client
You are using it wrong way.
'external' group in IPA is not a POSIX group. It is supposed to be
included into a POSIX group and then SSSD on the client system will pull
all external references from 'external' group when building up a
membership of the POSIX group. That's why the documentation talks about
two-group buildup:
- create an 'external' group and add AD objects as members of it
- create a POSIX group and add the 'external' group as a member
Group merging feature in glibc works only for POSIX groups because these
are the only groups that exist in POSIX environment where glibc
operates. Unless an AD user is pulled into the POSIX group, the group
cannot see the AD user as a member.
So you should create a 'docker-external' 'external' group and add users
there. Then create a 'docker' group in IPA and add 'docker-external'
group as a member there. Then, upon login to a system governed by SSSD
this 'docker' group membership will be filled in by SSSD for the AD user
and glibc will handle group merging on top of that.
I thought this had solved my problem but after the recent update to
freeipa, group merging no longer works.
1. New AD users added to the docker-external group are not added to the
local machines docker group.
2. AD users that were already in the docker-external group and were added
to the local machines docker group no longer have permission to run docker.
Running the id command to check user details shows them to be member of the
docker group but the id of the docker group is the id of the freeipa docker
posix group.
Since user/group data properly comes from IPA, you need to check your
client system configuration. Group merging is a feature of glibc and is
driven by the configuration in /etc/nsswitch.conf.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
