> -----Original Message-----
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Jakub Hrozek
> Sent: Thursday, May 14, 2015 11:46 AM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] trusted user groups
> 
> On Thu, May 14, 2015 at 03:33:28PM +0000, Andy Thompson wrote:
> > I've noticed that trusted users supplementary ad groups don't show up
> until after the users login to the box at least once.
> 
> That's expected with the versions you're running. Prior to 6.7, we could only
> read the trusted users' group membership from the PAC blob attached to
> the Kerberos ticket.
> 
> 
> > Is there a chance that information will be dropped again at any point going
> forward?
> 
> No, otherwise it's a bug.
> 
> >
> > The reason I ask is that on our sftp boxes we chroot users based on
> > group membership.  I set that up as an external group in freeIPA and
> > the first time the user logs in to the sftp box, they are dropped in
> > their normal home directory as opposed to the chroot environment.  If
> > there is a chance the group membership will not show up correctly
> > again in the future, I'm inclined to change the chroot stanzas to match on
> user as opposed to group.
> >
> > Is that by design?
> 
> If you can't see the correct group memberships after a login, then something
> is fishy. However, we're rebasing to sssd 1.12.x in 6.7 and there's so many
> fixes and enhancements in this area..is there a chance you could try out 6.7
> beta or some custom packages?
> 

Group memberships show up fine after the first login so it is working as 
expected then.  The accounts are very controlled so it shouldn't be a huge 
sticking point.  I could try out some custom packages on this box but I can't 
move to 6.7 until we upgrade the entire environment.  

Thanks much

-andy



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to