On Mon, 11 Jul 2016, Lachlan Musicman wrote:

Centos 7, up to date.

[root@linuxidm ~]# ipa --version
VERSION: 4.2.0, API_VERSION: 2.156

One way trust is successfully established, can login with

ssh usern...@domain1.com@server1.domain2.com

Am testing to get HBAC to work.

I've noticed that with the Allow All rule in effect, the following set up
is sufficient:

add external group "ad_external"
add internal group, "ad_internal", add ad_external as a group member of

AD users can now successfully login to any server.

When I tried to set up an HBAC, I couldn't get that set up to work, I
needed to complete the extra step of adding AD users explicitly to the
"external member" group of the external group.

I also note that this seems to be explicitly user based, not group based?
IE, I can add lach...@domain1.com to the external members of ad_external
and that works, but adding the group server_adm...@domain1.com (as seen in
`id lach...@domain1.com`) doesn't allow all members access.

Does that sound correct?
No, it does not.
HBAC evaluation and external group merging/resolution is done by SSSD.
Use https://fedorahosted.org/sssd/wiki/Troubleshooting to produce logs
that can help understanding what happens there.

What SSSD version do you have on both IPA client and IPA server?
/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to