Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-30 Thread Ben .T.George
and here is my sssd debug log from client side http://pastebin.com/ud2q3FR5 On Sat, Apr 30, 2016 at 10:06 AM, Ben .T.George wrote: > Hi > > Adding this this. > > in AD i habe added 2 users , ben and jude. In my HBAC rule, i pointed this > specific external group and

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-30 Thread Ben .T.George
Hi Adding this this. in AD i habe added 2 users , ben and jude. In my HBAC rule, i pointed this specific external group and (were these users) but while checking the rule from IPA server using hbactest, both users test passes and showing one rol. but in actual only ben can able to login to

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George
surprisingly i have created some local IPA users and added to same HBAC rule, and removed AD grop ad applied this rule to client, and that got worked. How can i make this AD group with HBAC working? Regards, Ben On Fri, Apr 29, 2016 at 7:12 PM, Ben .T.George wrote: > HI

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George
HI If i disable allow_all rule, i cannot able to login to client machine. On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George wrote: > HI > > actually i have added Domain Admins and the user ben is not part of Domain > Admins. But

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George
HI actually i have added Domain Admins and the user ben is not part of Domain Admins. But when i login to client machine, i am getting below -sh-4.2$ id uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(b...@kwttestdc.com.kw) groups=1827801104(b...@kwttestdc.com.kw),1827800513(*domain

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George
HI while explaning here it went wrong. actually i did is" Added external group to POSIX group" On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek wrote: > On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: > > HI, > > > > "The other is that the groups might not show

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Jakub Hrozek
On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: > HI, > > "The other is that the groups might not show up on the client (do they?)" id $user. But I think Alexander noticed the root cause. > > how can i check that. > > Thanks > Ben > > On Fri, Apr 29, 2016 at 5:59 PM, Jakub

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George
Hi I have created 2 fresh users now and i was running below, [root@freeipa log]# ipa hbactest --user "KWTTESTDC\jude" --host `hostname` --service sshd ipa: ERROR: trusted domain user not found [root@freeipa log]# ipa hbactest --user "KWTTESTDC\muneer" --host `hostname` --service sshd ipa: ERROR:

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George
Hi Alex, yea my mistake. i was following u this http://www.freeipa.org/page/Active_Directory_trust_setup#Allow_access_for_users_from_AD_domain_to_protected_resources On Fri, Apr 29, 2016 at 6:03 PM, Alexander Bokovoy wrote: > On Fri, 29 Apr 2016, Ben .T.George wrote: >

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George
HI, "The other is that the groups might not show up on the client (do they?)" how can i check that. Thanks Ben On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek wrote: > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: > > Hi List, > > > > I have working setup

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Alexander Bokovoy
On Fri, 29 Apr 2016, Ben .T.George wrote: Hi List, I have working setup of one AD, one IPA server and one client server. by default i can login to client server by using AD username. i want to apply HBAC rules against this client server. For that i have done below steps. 1. created External

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Jakub Hrozek
On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: > Hi List, > > I have working setup of one AD, one IPA server and one client server. by > default i can login to client server by using AD username. > > i want to apply HBAC rules against this client server. For that i have done >

[Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George
Hi List, I have working setup of one AD, one IPA server and one client server. by default i can login to client server by using AD username. i want to apply HBAC rules against this client server. For that i have done below steps. 1. created External group in IPA erver 2. created local POSIX