On 11 July 2016 at 16:44, Alexander Bokovoy <aboko...@redhat.com> wrote:

> On Mon, 11 Jul 2016, Lachlan Musicman wrote:
>> Hola,
>> Centos 7, up to date.
>> [root@linuxidm ~]# ipa --version
>> VERSION: 4.2.0, API_VERSION: 2.156
>> One way trust is successfully established, can login with
>> ssh usern...@domain1.com@server1.domain2.com
>> Am testing to get HBAC to work.
>> I've noticed that with the Allow All rule in effect, the following set up
>> is sufficient:
>> add external group "ad_external"
>> add internal group, "ad_internal", add ad_external as a group member of
>> ad_internal
>> AD users can now successfully login to any server.
>> When I tried to set up an HBAC, I couldn't get that set up to work, I
>> needed to complete the extra step of adding AD users explicitly to the
>> "external member" group of the external group.
>> I also note that this seems to be explicitly user based, not group based?
>> IE, I can add lach...@domain1.com to the external members of ad_external
>> and that works, but adding the group server_adm...@domain1.com (as seen
>> in
>> `id lach...@domain1.com`) doesn't allow all members access.
>> Does that sound correct?
> No, it does not.
> HBAC evaluation and external group merging/resolution is done by SSSD.
> Use https://fedorahosted.org/sssd/wiki/Troubleshooting to produce logs
> that can help understanding what happens there.
> What SSSD version do you have on both IPA client and IPA server?

1.13.0 on both client and server.

To be honest, we have ratcheted up the logs and it doesn't help that much.
We just got lots of "unsupported PAM command [249]"

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to