surprisingly i have created some local IPA users and added to same HBAC rule, and removed AD grop ad applied this rule to client, and that got worked.
How can i make this AD group with HBAC working? Regards, Ben On Fri, Apr 29, 2016 at 7:12 PM, Ben .T.George <bentech4...@gmail.com> wrote: > HI > > If i disable allow_all <https://freeipa.idm.local/ipa/ui/#allow_all> rule, > i cannot able to login to client machine. > > On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George <bentech4...@gmail.com> > wrote: > >> HI >> >> actually i have added Domain Admins and the user ben is not part of >> Domain Admins. But when i login to client machine, i am getting below >> >> -sh-4.2$ id >> uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(b...@kwttestdc.com.kw) >> groups=1827801104(b...@kwttestdc.com.kw),1827800513(*domain >> us...@kwttestdc.com.kw <us...@kwttestdc.com.kw>*),1827801105(sudo >> adm...@kwttestdc.com.kw) >> >> >> >> On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George <bentech4...@gmail.com> >> wrote: >> >>> HI >>> >>> while explaning here it went wrong. actually i did is" >>> Added external group to POSIX group" >>> >>> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek <jhro...@redhat.com> >>> wrote: >>> >>>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: >>>> > HI, >>>> > >>>> > "The other is that the groups might not show up on the client (do >>>> they?)" >>>> >>>> id $user. >>>> >>>> But I think Alexander noticed the root cause. >>>> >>>> > >>>> > how can i check that. >>>> > >>>> > Thanks >>>> > Ben >>>> > >>>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhro...@redhat.com> >>>> wrote: >>>> > >>>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: >>>> > > > Hi List, >>>> > > > >>>> > > > I have working setup of one AD, one IPA server and one client >>>> server. by >>>> > > > default i can login to client server by using AD username. >>>> > > > >>>> > > > i want to apply HBAC rules against this client server. For that i >>>> have >>>> > > done >>>> > > > below steps. >>>> > > > >>>> > > > 1. created External group in IPA erver >>>> > > > 2. created local POSIX group n IPA server >>>> > > > 3. Added AD group to external group >>>> > > > 4. added POSIX group to external group. >>>> > > > >>>> > > > After that have created HBAC rule by adding both local and >>>> external IPA >>>> > > > groups, added sshd as service and selected service group as sudo. >>>> > > > >>>> > > > i have applied this HBAC rule to client server and from web UI >>>> and while >>>> > > > testing HBAC from web, i am getting access denied . >>>> > > >>>> > > Sorry, not enough info. >>>> > > >>>> > > One guess would be that you need to add the "sudo-i" service as >>>> well. >>>> > > The other is that the groups might not show up on the client (do >>>> they?) >>>> > > >>>> > > Anyway, it might be good idea to follow >>>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting >>>> > > >>>> > > -- >>>> > > Manage your subscription for the Freeipa-users mailing list: >>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>>> > > Go to http://freeipa.org for more info on the project >>>> > > >>>> >>> >>> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project