On Tue, May 16, 2017 at 07:56:38AM -0600, Janet Houser wrote: > Hi Folks, > > Last week I deployed freeipa on a CentOS7 VM. The installation went very > smoothly using: > > yum install ipa-server > > and > > ipa-server-install > > > My issue is with connecting a CentOS 7 client. On my client, I yum > installed ipa-client and ipa-admintools. > I than ran "ipa-client-install" and answered the setup questions (very > easy and smooth). > > The "getent passwd" command didn't return any users, but the "getent passwd > jdoe" does give the information > for the user. I found in the archives that I can set "enumerate=True" so I > get a complete user listing. That > seems to be working, and I was able to login with the account "jdoe" > (brilliant!).
I would discourage enumeration especially if you're planning on a large domain. The performance right now is not great. Moreover, the way the trusted accounts are retrieved doesn't support enumeration at all either. > > Problem 1: > ======== > > I created a user group on the ipa server with the following attributes: > > name = xyx, gid = 1000 > > I changed the user "jdoe" to have gid = 1000, but when I ssh into the ipa > client, I get the following message after > logging in: > > /usr/bin/id: cannot find name for group ID 1000 > > A "getent group" command does list the group: xyz:*:1000: > > A "groups" command issued by the user shows: xyz > > files created by the user show the correct ownership and group. I would first try to remove the sssd caches because uid/gid renumbering doesn't work great. If that doesn't help, please check the sssd logs. By the way, 1000 is quite low and would most probably clash with local accounts. I would strongly suggest to stick to ID numbers within the configured ID range (ipa idrange-find) > > Problem 2: > ======= > > I've been looking through the freeipa groups and literature and I can't > figure out how to limit user login access to > an ipa client by a memberOf group. > > When I was using CentOS 6 and 7 I could use the nslcd.conf file to put in a > group filter like: > > passwd > (&(objectClass=posixAccount)(memberOf=CN=test,OU=Groups,DC=abc,DC=xyx,DC=edu)) > > > I tried changing the access_provider to simple and using the > "simply_allow_groups = test", but that didn't work. > However, using "access_provider = ipa" and "filter_users" did allow me to > filter out a user from the "getent passwd" command. > > I tried changing the access_provider to ldap and using the filter > "ldap_access_filter = memberOf=cn=test=OU=Groups,DC=abc,DC=xyx,DC=edu > but that failed too. Please check out "ipa help hbac" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
