Centos 7, up to date.
[root@linuxidm ~]# ipa --version
VERSION: 4.2.0, API_VERSION: 2.156
One way trust is successfully established, can login with
Am testing to get HBAC to work.
I've noticed that with the Allow All rule in effect, the following set up
add external group "ad_external"
add internal group, "ad_internal", add ad_external as a group member of
AD users can now successfully login to any server.
When I tried to set up an HBAC, I couldn't get that set up to work, I
needed to complete the extra step of adding AD users explicitly to the
"external member" group of the external group.
I also note that this seems to be explicitly user based, not group based?
IE, I can add lach...@domain1.com to the external members of ad_external
and that works, but adding the group server_adm...@domain1.com (as seen in
`id lach...@domain1.com`) doesn't allow all members access.
Does that sound correct?
The most dangerous phrase in the language is, "We've always done it this
- Grace Hopper
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project