SSSD is able to evaluate group membership, but if for instance I create a view for my user and I add a ssh public key I can only use it to login passwordless in the IPA server, not on an IPA client. The password still works, but I see nothing in the sssd logs that explains why the pubkey was rejected on the IPA client. Could be that the client is not really aware that there is a view override? I thought that the external mapping would facilitate this..
On Mon, Jul 13, 2015 at 11:46 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Mon, 13 Jul 2015, Angelo Pantano wrote: > >> I have the same entry there, my question is that I don't understand why it >> doesn't it give me any visibility of the AD users mapped in that group, I >> mean I just see that entry, but what's that supposed to do? It doesn't >> really change anything with or without, I am missing the supposed value of >> having the AD users mapped in a FreeIPA posix group. >> >> I was expecting to see the AD users in that group, but I got nothing.. I'm >> a bit confused >> > Read the documentation. > > Once you added AD user or group as external member of an external IPA > group and then added this group as a member of IPA POSIX group, the user > belonging to AD group would appear as a member of IPA POSIX group: > > # id administra...@adx.test > uid=1878600500(administra...@adx.test) > gid=1878600500(administra...@adx.test) > groups=1878600500(administra...@adx.test),1878600520(group policy > creator own...@adx.test),1878600519(enterprise > adm...@adx.test),1878600512(domain adm...@adx.test),1878600518(schema > adm...@adx.test),1878600513(domain us...@adx.test),1634400007(ad_admins) > > You wouldn't see this in the web UI because web UI is showing what is in > the LDAP, not what is visible in the system when SSSD evaluates the > group membership. > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project