Hola, Centos 7, up to date.
[root@linuxidm ~]# ipa --version VERSION: 4.2.0, API_VERSION: 2.156 One way trust is successfully established, can login with ssh [email protected]@server1.domain2.com Am testing to get HBAC to work. I've noticed that with the Allow All rule in effect, the following set up is sufficient: add external group "ad_external" add internal group, "ad_internal", add ad_external as a group member of ad_internal AD users can now successfully login to any server. When I tried to set up an HBAC, I couldn't get that set up to work, I needed to complete the extra step of adding AD users explicitly to the "external member" group of the external group. I also note that this seems to be explicitly user based, not group based? IE, I can add [email protected] to the external members of ad_external and that works, but adding the group [email protected] (as seen in `id [email protected]`) doesn't allow all members access. Does that sound correct? L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
