On 03/06/2015 03:24 PM, Craig White wrote:
[mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Guertin, David S.
*Sent:* Friday, March 06, 2015 1:04 PM
*Subject:* [Freeipa-users] Can't add AD user group to IPA group
I'm on my second attempt trying to set up an IPA server with a trust
relationship to our AD domain. The first attempt had inexplicable
problems with winbind, so this time I've set up a RHEL7 server, and
things are going better, but I'm stuck when trying to add an AD user
group to an IPA group.
I have already:
- created an IPA group called ad_users.
- created an IPA group called ad_users_external.
Did you create this group with --external?
- added ad_users_external as a member of ad_users.
But the final step isn't working:
ipa group-add-member ad_users_external --external "AD\IPA Users"
ipa: ERROR: attribute "ipaExternalMember" not allowed
How can I fix this?
Also, I discovered that even without adding this AD group, every AD
user in our domain can SSH to the IPA server. That's convenient for
the users, but not really what I'm looking for. Why aren't logins
restricted to users in the ad_users group?
Just taking the last question...
Seems the initial/default setup for IPA server is to put in an
'allow_all' rule. Thus you can actively manage HBAC but out of the
box, it is essentially turned off by that rule.
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project