Re: [Freeipa-users] Can't add AD user group to IPA group
For troubleshooting this you need to enable debug_level=10 in sssd.conf in domain and pam sections. Restart sssd and try to login. OK, this has pinpointed the problem. The log file now shows: (Wed Mar 11 11:31:01 2015) [sssd[be[middlebury.edu]]] [sdap_save_user] (0x1000): Mapping user [guertin-s] objectSID [S-1-5-21-1983215674-46037090-646806464-245906] to unix ID (Wed Mar 11 11:31:01 2015) [sssd[be[middlebury.edu]]] [sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID [S-1-5-21-1983215674-46037090-646806464-245906] to a UNIX ID It seems that this is due to incorrect ID range settings. So I have increased the ID range to 2,000,000, which ought to be enough for a RID of 245906: # ipa idrange-find 2 ranges matched Range name: CSNS.MIDDLEBURY.EDU_id_range First Posix ID of the range: 52880 Number of IDs in the range: 200 First RID of the corresponding RID range: 1 First RID of the secondary RID range: 201 Range type: local domain range Range name: MIDDLEBURY.EDU_id_range First Posix ID of the range: 1000 Number of IDs in the range: 200 Domain SID of the trusted domain: S-1-5-21-1983215674-46037090-646806464 Range type: Active Directory trust range with POSIX attributes Number of entries returned 2 But the problem still persists. I cannot SSH in as a user (getent passwd, id, etc. all still do show the users). David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can't add AD user group to IPA group
On 10.3.2015 12:14, Guertin, David S. wrote: Seems the initial/default setup for IPA server is to put in an 'allow_all' rule. Thus you can actively manage HBAC but out of the box, it is essentially turned off by that rule. Yes. The default was the opposite very long time ago, you had to explicitly enable access to the box. But it was causing too many user issues. OK, I have reinstalled the IPA server with the --no_hbac_allow flag (i.e. : ipa-server-install --no_hbac_allow), but the behavior remains the same. I can still see all AD users instead of just those in the particular group I've added. Is there something else that needs be done to override the allow_all setting? You should be able to 'see' them via getent passwd but they should not be allowed to login when HBAC_ALLOW_ALL is disabled. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can't add AD user group to IPA group
On Tue, 10 Mar 2015, Guertin, David S. wrote: Seems the initial/default setup for IPA server is to put in an 'allow_all' rule. Thus you can actively manage HBAC but out of the box, it is essentially turned off by that rule. Yes. The default was the opposite very long time ago, you had to explicitly enable access to the box. But it was causing too many user issues. OK, I have reinstalled the IPA server with the --no_hbac_allow flag (i.e. : ipa-server-install --no_hbac_allow), but the behavior remains the same. I can still see all AD users instead of just those in the particular group I've added. Is there something else that needs be done to override the allow_all setting? Can you be more specific? If you have allow_all HBAC rule enabled, it is just that -- any existing user will be authorized to access any service on any host given they authenticate successfully. If you disabled allow_all rule, then some other rule may allow such access but without more details about your configuration it is impossible to say what are you doing. On top of this you add confusion by saying I can still see all AD users -- what do you mean by this? Any substantiated shell output would definitely help here to understand your issues. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can't add AD user group to IPA group
Seems the initial/default setup for IPA server is to put in an 'allow_all' rule. Thus you can actively manage HBAC but out of the box, it is essentially turned off by that rule. Yes. The default was the opposite very long time ago, you had to explicitly enable access to the box. But it was causing too many user issues. OK, I have reinstalled the IPA server with the --no_hbac_allow flag (i.e. : ipa-server-install --no_hbac_allow), but the behavior remains the same. I can still see all AD users instead of just those in the particular group I've added. Is there something else that needs be done to override the allow_all setting? David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can't add AD user group to IPA group
You should be able to 'see' them via getent passwd but they should not be allowed to login when HBAC_ALLOW_ALL is disabled. Ah, OK, thanks, that's what is happening. I can see them with getent passwd and id, and I can su to them, but I can't log in as them. On the other hand, I also can't log in as a user that SHOULD have permission (as a member of the appropriate AD group), but I'm still troubleshooting that one. David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can't add AD user group to IPA group
On Tue, Mar 10, 2015 at 11:14:21AM +, Guertin, David S. wrote: Seems the initial/default setup for IPA server is to put in an 'allow_all' rule. Thus you can actively manage HBAC but out of the box, it is essentially turned off by that rule. Yes. The default was the opposite very long time ago, you had to explicitly enable access to the box. But it was causing too many user issues. OK, I have reinstalled the IPA server with the --no_hbac_allow flag (i.e. : ipa-server-install --no_hbac_allow), but the behavior remains the same. I can still see all AD users instead of just those in the particular group I've added. Is there something else that needs be done to override the allow_all setting? Can you also login with them? The HBAC rules don't prevent retrieving identity information, only access to the system. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can't add AD user group to IPA group
I have already: - created an IPA group called ad_users. - created an IPA group called ad_users_external. Did you create this group with --external? Doh! Nope, somehow I missed that. I've done that and that part is working now. But the other part of the question remains, i.e. I'm still seeing all of our AD users (that have UNIX attributes enabled) instead of just the ones in the AD group that I've added. David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can't add AD user group to IPA group
On Tue, 10 Mar 2015, Guertin, David S. wrote: You should be able to 'see' them via getent passwd but they should not be allowed to login when HBAC_ALLOW_ALL is disabled. Ah, OK, thanks, that's what is happening. I can see them with getent passwd and id, and I can su to them, but I can't log in as them. Seeing identity is as designed. 'su' from root is ignoring any of HBAC rules because your PAM stack for 'su' includes a rule that allows exactly that (root can impersonate anyone). On the other hand, I also can't log in as a user that SHOULD have permission (as a member of the appropriate AD group), but I'm still troubleshooting that one. For troubleshooting this you need to enable debug_level=10 in sssd.conf in domain and pam sections. Restart sssd and try to login. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can't add AD user group to IPA group
On Fri, Mar 06, 2015 at 08:24:28PM +, Craig White wrote: Seems the initial/default setup for IPA server is to put in an 'allow_all' rule. Thus you can actively manage HBAC but out of the box, it is essentially turned off by that rule. Yes. The default was the opposite very long time ago, you had to explicitly enable access to the box. But it was causing too many user issues. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can't add AD user group to IPA group
On 03/06/2015 03:24 PM, Craig White wrote: *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Guertin, David S. *Sent:* Friday, March 06, 2015 1:04 PM *To:* freeipa-users@redhat.com *Subject:* [Freeipa-users] Can't add AD user group to IPA group I'm on my second attempt trying to set up an IPA server with a trust relationship to our AD domain. The first attempt had inexplicable problems with winbind, so this time I've set up a RHEL7 server, and things are going better, but I'm stuck when trying to add an AD user group to an IPA group. I have already: - created an IPA group called ad_users. - created an IPA group called ad_users_external. Did you create this group with --external? - added ad_users_external as a member of ad_users. But the final step isn't working: ipa group-add-member ad_users_external --external AD\IPA Users gives: ipa: ERROR: attribute ipaExternalMember not allowed How can I fix this? Also, I discovered that even without adding this AD group, every AD user in our domain can SSH to the IPA server. That's convenient for the users, but not really what I'm looking for. Why aren't logins restricted to users in the ad_users group? Just taking the last question... Seems the initial/default setup for IPA server is to put in an 'allow_all' rule. Thus you can actively manage HBAC but out of the box, it is essentially turned off by that rule. Craig -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Can't add AD user group to IPA group
I'm on my second attempt trying to set up an IPA server with a trust relationship to our AD domain. The first attempt had inexplicable problems with winbind, so this time I've set up a RHEL7 server, and things are going better, but I'm stuck when trying to add an AD user group to an IPA group. I have already: - created an IPA group called ad_users. - created an IPA group called ad_users_external. - added ad_users_external as a member of ad_users. But the final step isn't working: ipa group-add-member ad_users_external --external AD\IPA Users gives: ipa: ERROR: attribute ipaExternalMember not allowed How can I fix this? Also, I discovered that even without adding this AD group, every AD user in our domain can SSH to the IPA server. That's convenient for the users, but not really what I'm looking for. Why aren't logins restricted to users in the ad_users group? David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can't add AD user group to IPA group
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Guertin, David S. Sent: Friday, March 06, 2015 1:04 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] Can't add AD user group to IPA group I'm on my second attempt trying to set up an IPA server with a trust relationship to our AD domain. The first attempt had inexplicable problems with winbind, so this time I've set up a RHEL7 server, and things are going better, but I'm stuck when trying to add an AD user group to an IPA group. I have already: - created an IPA group called ad_users. - created an IPA group called ad_users_external. - added ad_users_external as a member of ad_users. But the final step isn't working: ipa group-add-member ad_users_external --external AD\IPA Users gives: ipa: ERROR: attribute ipaExternalMember not allowed How can I fix this? Also, I discovered that even without adding this AD group, every AD user in our domain can SSH to the IPA server. That's convenient for the users, but not really what I'm looking for. Why aren't logins restricted to users in the ad_users group? Just taking the last question... Seems the initial/default setup for IPA server is to put in an 'allow_all' rule. Thus you can actively manage HBAC but out of the box, it is essentially turned off by that rule. Craig -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
