On 03/06/2015 03:24 PM, Craig White wrote:

*From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Guertin, David S.
*Sent:* Friday, March 06, 2015 1:04 PM
*To:* freeipa-users@redhat.com
*Subject:* [Freeipa-users] Can't add AD user group to IPA group

I'm on my second attempt trying to set up an IPA server with a trust relationship to our AD domain. The first attempt had inexplicable problems with winbind, so this time I've set up a RHEL7 server, and things are going better, but I'm stuck when trying to add an AD user group to an IPA group.

I have already:

- created an IPA group called ad_users.

- created an IPA group called ad_users_external.

Did you create this group with --external?

- added ad_users_external as a member of ad_users.

But the final step isn't working:

ipa group-add-member ad_users_external --external "AD\IPA Users"


ipa: ERROR: attribute "ipaExternalMember" not allowed

How can I fix this?

Also, I discovered that even without adding this AD group, every AD user in our domain can SSH to the IPA server. That's convenient for the users, but not really what I'm looking for. Why aren't logins restricted to users in the ad_users group?

Just taking the last question...

Seems the initial/default setup for IPA server is to put in an 'allow_all' rule. Thus you can actively manage HBAC but out of the box, it is essentially turned off by that rule.


Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to