On Mon, 11 Jul 2016, Lachlan Musicman wrote:
Centos 7, up to date.
[root@linuxidm ~]# ipa --version
VERSION: 4.2.0, API_VERSION: 2.156
One way trust is successfully established, can login with
Am testing to get HBAC to work.
I've noticed that with the Allow All rule in effect, the following set up
add external group "ad_external"
add internal group, "ad_internal", add ad_external as a group member of
AD users can now successfully login to any server.
When I tried to set up an HBAC, I couldn't get that set up to work, I
needed to complete the extra step of adding AD users explicitly to the
"external member" group of the external group.
I also note that this seems to be explicitly user based, not group based?
IE, I can add lach...@domain1.com to the external members of ad_external
and that works, but adding the group server_adm...@domain1.com (as seen in
`id lach...@domain1.com`) doesn't allow all members access.
Does that sound correct?
No, it does not.
HBAC evaluation and external group merging/resolution is done by SSSD.
Use https://fedorahosted.org/sssd/wiki/Troubleshooting to produce logs
that can help understanding what happens there.
What SSSD version do you have on both IPA client and IPA server?
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project