Hi I have created 2 fresh users now and i was running below,
[root@freeipa log]# ipa hbactest --user "KWTTESTDC\jude" --host `hostname` --service sshd ipa: ERROR: trusted domain user not found [root@freeipa log]# ipa hbactest --user "KWTTESTDC\muneer" --host `hostname` --service sshd ipa: ERROR: trusted domain user not found but i can able to test with old users, [root@freeipa log]# ipa hbactest --user "KWTTESTDC\Administrator" --host `hostname` --service sshd -------------------- Access granted: True -------------------- Matched rules: allow_all Not matched rules: ad_can_login Not matched rules: local_admin_can_login [root@freeipa log]# ipa hbactest --user "KWTTESTDC\ben" --host `hostname` --service sshd -------------------- Access granted: True -------------------- Matched rules: ad_can_login Matched rules: allow_all Not matched rules: local_admin_can_login Is there any sync time for trust.? when i was trying ipa trust-fetch-domains, i am getting below [root@freeipa log]# ipa trust-fetch-domains "kwttestdc.com.kw" ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from trusted forest failed. See details in the error_log Thanks & Regards, Ben On Fri, Apr 29, 2016 at 6:33 PM, Ben .T.George <bentech4...@gmail.com> wrote: > Hi Alex, > > yea my mistake. > > i was following u this > > > http://www.freeipa.org/page/Active_Directory_trust_setup#Allow_access_for_users_from_AD_domain_to_protected_resources > > > > On Fri, Apr 29, 2016 at 6:03 PM, Alexander Bokovoy <aboko...@redhat.com> > wrote: > >> On Fri, 29 Apr 2016, Ben .T.George wrote: >> >>> Hi List, >>> >>> I have working setup of one AD, one IPA server and one client server. by >>> default i can login to client server by using AD username. >>> >>> i want to apply HBAC rules against this client server. For that i have >>> done >>> below steps. >>> >>> 1. created External group in IPA erver >>> 2. created local POSIX group n IPA server >>> 3. Added AD group to external group >>> 4. added POSIX group to external group. >>> >> You should have added external group to POSIX group, not the other way >> around. >> >> -- >> / Alexander Bokovoy >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project