On Mon, 11 Jul 2016, Lachlan Musicman wrote:
Hola,
Centos 7, up to date.
[root@linuxidm ~]# ipa --version
VERSION: 4.2.0, API_VERSION: 2.156
One way trust is successfully established, can login with
ssh usern...@domain1.com@server1.domain2.com
Am testing to get HBAC to work.
I've noticed that with the Allow All rule in effect, the following set up
is sufficient:
add external group "ad_external"
add internal group, "ad_internal", add ad_external as a group member of
ad_internal
AD users can now successfully login to any server.
When I tried to set up an HBAC, I couldn't get that set up to work, I
needed to complete the extra step of adding AD users explicitly to the
"external member" group of the external group.
I also note that this seems to be explicitly user based, not group based?
IE, I can add lach...@domain1.com to the external members of ad_external
and that works, but adding the group server_adm...@domain1.com (as seen in
`id lach...@domain1.com`) doesn't allow all members access.
Does that sound correct?
No, it does not.
HBAC evaluation and external group merging/resolution is done by SSSD.
Use https://fedorahosted.org/sssd/wiki/Troubleshooting to produce logs
that can help understanding what happens there.
What SSSD version do you have on both IPA client and IPA server?
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project