Re: [Freeipa-users] trusted user groups
On 05/18/2015 04:50 PM, Andy Thompson wrote: >> -Original Message- >> From: Lukas Slebodnik [mailto:lsleb...@redhat.com] >> Sent: Monday, May 18, 2015 10:33 AM >> To: Andy Thompson >> Cc: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] trusted user groups >> >> On (18/05/15 13:55), Andy Thompson wrote: >>>> -Original Message- >>>> From: Lukas Slebodnik [mailto:lsleb...@redhat.com] >>>> Sent: Thursday, May 14, 2015 4:41 PM >>>> To: Andy Thompson >>>> Cc: freeipa-users@redhat.com >>>> Subject: Re: [Freeipa-users] trusted user groups >>>> >>>> On (14/05/15 15:53), Andy Thompson wrote: >>>>>> -Original Message- >>>>>> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- >>>>>> boun...@redhat.com] On Behalf Of Jakub Hrozek >>>>>> Sent: Thursday, May 14, 2015 11:46 AM >>>>>> To: freeipa-users@redhat.com >>>>>> Subject: Re: [Freeipa-users] trusted user groups >>>>>> >>>>>> On Thu, May 14, 2015 at 03:33:28PM +, Andy Thompson wrote: >>>>>>> I've noticed that trusted users supplementary ad groups don't >>>>>>> show up >>>>>> until after the users login to the box at least once. >>>>>> >>>>>> That's expected with the versions you're running. Prior to 6.7, we >>>>>> could only read the trusted users' group membership from the PAC >>>>>> blob attached to the Kerberos ticket. >>>>>> >>>>>> >>>>>>> Is there a chance that information will be dropped again at any >>>>>>> point going >>>>>> forward? >>>>>> >>>>>> No, otherwise it's a bug. >>>>>> >>>>>>> >>>>>>> The reason I ask is that on our sftp boxes we chroot users based >>>>>>> on group membership. I set that up as an external group in >>>>>>> freeIPA and the first time the user logs in to the sftp box, >>>>>>> they are dropped in their normal home directory as opposed to >>>>>>> the chroot environment. If there is a chance the group >>>>>>> membership will not show up correctly again in the future, I'm >>>>>>> inclined to change the chroot stanzas to match on >>>>>> user as opposed to group. >>>>>>> >>>>>>> Is that by design? >>>>>> >>>>>> If you can't see the correct group memberships after a login, then >>>>>> something is fishy. However, we're rebasing to sssd 1.12.x in 6.7 >>>>>> and there's so many fixes and enhancements in this area..is there >>>>>> a chance you could try out 6.7 beta or some custom packages? >>>>>> >>>>> >>>>> Group memberships show up fine after the first login so it is >>>>> working as >>>> expected then. The accounts are very controlled so it shouldn't be a >>>> huge sticking point. I could try out some custom packages on this >>>> box but I can't move to 6.7 until we upgrade the entire environment. >>>>> >>>> Here you are >>>> https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12-latest/ >>>> >>> >>> To just bring this full circle, the latest sssd release reads group >>> membership >> correctly without a Kerberos ticket. I tested this release on 6.6 and >> tested a >> 7.1 box and both worked without issue. >>> >> I'm glad it works for you. >> >>> I just can't roll them in production yet :/ >>> >> I see. >> > > You have any insight into when 6.7 will be released? We cannot give any exact date at the moment, but given that 6.7 Beta is already out, the GA should be out summer-ish. You can try to use the Beta packages now or wait until it really hits GA. HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] trusted user groups
> -Original Message- > From: Lukas Slebodnik [mailto:lsleb...@redhat.com] > Sent: Monday, May 18, 2015 10:33 AM > To: Andy Thompson > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] trusted user groups > > On (18/05/15 13:55), Andy Thompson wrote: > >> -Original Message- > >> From: Lukas Slebodnik [mailto:lsleb...@redhat.com] > >> Sent: Thursday, May 14, 2015 4:41 PM > >> To: Andy Thompson > >> Cc: freeipa-users@redhat.com > >> Subject: Re: [Freeipa-users] trusted user groups > >> > >> On (14/05/15 15:53), Andy Thompson wrote: > >> >> -Original Message- > >> >> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > >> >> boun...@redhat.com] On Behalf Of Jakub Hrozek > >> >> Sent: Thursday, May 14, 2015 11:46 AM > >> >> To: freeipa-users@redhat.com > >> >> Subject: Re: [Freeipa-users] trusted user groups > >> >> > >> >> On Thu, May 14, 2015 at 03:33:28PM +, Andy Thompson wrote: > >> >> > I've noticed that trusted users supplementary ad groups don't > >> >> > show up > >> >> until after the users login to the box at least once. > >> >> > >> >> That's expected with the versions you're running. Prior to 6.7, we > >> >> could only read the trusted users' group membership from the PAC > >> >> blob attached to the Kerberos ticket. > >> >> > >> >> > >> >> > Is there a chance that information will be dropped again at any > >> >> > point going > >> >> forward? > >> >> > >> >> No, otherwise it's a bug. > >> >> > >> >> > > >> >> > The reason I ask is that on our sftp boxes we chroot users based > >> >> > on group membership. I set that up as an external group in > >> >> > freeIPA and the first time the user logs in to the sftp box, > >> >> > they are dropped in their normal home directory as opposed to > >> >> > the chroot environment. If there is a chance the group > >> >> > membership will not show up correctly again in the future, I'm > >> >> > inclined to change the chroot stanzas to match on > >> >> user as opposed to group. > >> >> > > >> >> > Is that by design? > >> >> > >> >> If you can't see the correct group memberships after a login, then > >> >> something is fishy. However, we're rebasing to sssd 1.12.x in 6.7 > >> >> and there's so many fixes and enhancements in this area..is there > >> >> a chance you could try out 6.7 beta or some custom packages? > >> >> > >> > > >> >Group memberships show up fine after the first login so it is > >> >working as > >> expected then. The accounts are very controlled so it shouldn't be a > >> huge sticking point. I could try out some custom packages on this > >> box but I can't move to 6.7 until we upgrade the entire environment. > >> > > >> Here you are > >> https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12-latest/ > >> > > > >To just bring this full circle, the latest sssd release reads group > >membership > correctly without a Kerberos ticket. I tested this release on 6.6 and tested > a > 7.1 box and both worked without issue. > > > I'm glad it works for you. > > >I just can't roll them in production yet :/ > > > I see. > You have any insight into when 6.7 will be released? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] trusted user groups
On (18/05/15 13:55), Andy Thompson wrote: >> -Original Message- >> From: Lukas Slebodnik [mailto:lsleb...@redhat.com] >> Sent: Thursday, May 14, 2015 4:41 PM >> To: Andy Thompson >> Cc: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] trusted user groups >> >> On (14/05/15 15:53), Andy Thompson wrote: >> >> -Original Message- >> >> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- >> >> boun...@redhat.com] On Behalf Of Jakub Hrozek >> >> Sent: Thursday, May 14, 2015 11:46 AM >> >> To: freeipa-users@redhat.com >> >> Subject: Re: [Freeipa-users] trusted user groups >> >> >> >> On Thu, May 14, 2015 at 03:33:28PM +, Andy Thompson wrote: >> >> > I've noticed that trusted users supplementary ad groups don't show >> >> > up >> >> until after the users login to the box at least once. >> >> >> >> That's expected with the versions you're running. Prior to 6.7, we >> >> could only read the trusted users' group membership from the PAC blob >> >> attached to the Kerberos ticket. >> >> >> >> >> >> > Is there a chance that information will be dropped again at any >> >> > point going >> >> forward? >> >> >> >> No, otherwise it's a bug. >> >> >> >> > >> >> > The reason I ask is that on our sftp boxes we chroot users based on >> >> > group membership. I set that up as an external group in freeIPA >> >> > and the first time the user logs in to the sftp box, they are >> >> > dropped in their normal home directory as opposed to the chroot >> >> > environment. If there is a chance the group membership will not >> >> > show up correctly again in the future, I'm inclined to change the >> >> > chroot stanzas to match on >> >> user as opposed to group. >> >> > >> >> > Is that by design? >> >> >> >> If you can't see the correct group memberships after a login, then >> >> something is fishy. However, we're rebasing to sssd 1.12.x in 6.7 and >> >> there's so many fixes and enhancements in this area..is there a >> >> chance you could try out 6.7 beta or some custom packages? >> >> >> > >> >Group memberships show up fine after the first login so it is working as >> expected then. The accounts are very controlled so it shouldn't be a huge >> sticking point. I could try out some custom packages on this box but I can't >> move to 6.7 until we upgrade the entire environment. >> > >> Here you are >> https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12-latest/ >> > >To just bring this full circle, the latest sssd release reads group membership >correctly without a Kerberos ticket. I tested this release on 6.6 and tested >a 7.1 box and both worked without issue. > I'm glad it works for you. >I just can't roll them in production yet :/ > I see. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] trusted user groups
> -Original Message- > From: Lukas Slebodnik [mailto:lsleb...@redhat.com] > Sent: Thursday, May 14, 2015 4:41 PM > To: Andy Thompson > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] trusted user groups > > On (14/05/15 15:53), Andy Thompson wrote: > >> -Original Message- > >> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > >> boun...@redhat.com] On Behalf Of Jakub Hrozek > >> Sent: Thursday, May 14, 2015 11:46 AM > >> To: freeipa-users@redhat.com > >> Subject: Re: [Freeipa-users] trusted user groups > >> > >> On Thu, May 14, 2015 at 03:33:28PM +, Andy Thompson wrote: > >> > I've noticed that trusted users supplementary ad groups don't show > >> > up > >> until after the users login to the box at least once. > >> > >> That's expected with the versions you're running. Prior to 6.7, we > >> could only read the trusted users' group membership from the PAC blob > >> attached to the Kerberos ticket. > >> > >> > >> > Is there a chance that information will be dropped again at any > >> > point going > >> forward? > >> > >> No, otherwise it's a bug. > >> > >> > > >> > The reason I ask is that on our sftp boxes we chroot users based on > >> > group membership. I set that up as an external group in freeIPA > >> > and the first time the user logs in to the sftp box, they are > >> > dropped in their normal home directory as opposed to the chroot > >> > environment. If there is a chance the group membership will not > >> > show up correctly again in the future, I'm inclined to change the > >> > chroot stanzas to match on > >> user as opposed to group. > >> > > >> > Is that by design? > >> > >> If you can't see the correct group memberships after a login, then > >> something is fishy. However, we're rebasing to sssd 1.12.x in 6.7 and > >> there's so many fixes and enhancements in this area..is there a > >> chance you could try out 6.7 beta or some custom packages? > >> > > > >Group memberships show up fine after the first login so it is working as > expected then. The accounts are very controlled so it shouldn't be a huge > sticking point. I could try out some custom packages on this box but I can't > move to 6.7 until we upgrade the entire environment. > > > Here you are > https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12-latest/ > To just bring this full circle, the latest sssd release reads group membership correctly without a Kerberos ticket. I tested this release on 6.6 and tested a 7.1 box and both worked without issue. I just can't roll them in production yet :/ Thanks -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] trusted user groups
On (14/05/15 15:53), Andy Thompson wrote: >> -Original Message- >> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- >> boun...@redhat.com] On Behalf Of Jakub Hrozek >> Sent: Thursday, May 14, 2015 11:46 AM >> To: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] trusted user groups >> >> On Thu, May 14, 2015 at 03:33:28PM +, Andy Thompson wrote: >> > I've noticed that trusted users supplementary ad groups don't show up >> until after the users login to the box at least once. >> >> That's expected with the versions you're running. Prior to 6.7, we could only >> read the trusted users' group membership from the PAC blob attached to >> the Kerberos ticket. >> >> >> > Is there a chance that information will be dropped again at any point going >> forward? >> >> No, otherwise it's a bug. >> >> > >> > The reason I ask is that on our sftp boxes we chroot users based on >> > group membership. I set that up as an external group in freeIPA and >> > the first time the user logs in to the sftp box, they are dropped in >> > their normal home directory as opposed to the chroot environment. If >> > there is a chance the group membership will not show up correctly >> > again in the future, I'm inclined to change the chroot stanzas to match on >> user as opposed to group. >> > >> > Is that by design? >> >> If you can't see the correct group memberships after a login, then something >> is fishy. However, we're rebasing to sssd 1.12.x in 6.7 and there's so many >> fixes and enhancements in this area..is there a chance you could try out 6.7 >> beta or some custom packages? >> > >Group memberships show up fine after the first login so it is working as >expected then. The accounts are very controlled so it shouldn't be a huge >sticking point. I could try out some custom packages on this box but I can't >move to 6.7 until we upgrade the entire environment. > Here you are https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12-latest/ LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] trusted user groups
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Jakub Hrozek > Sent: Thursday, May 14, 2015 11:46 AM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] trusted user groups > > On Thu, May 14, 2015 at 03:33:28PM +, Andy Thompson wrote: > > I've noticed that trusted users supplementary ad groups don't show up > until after the users login to the box at least once. > > That's expected with the versions you're running. Prior to 6.7, we could only > read the trusted users' group membership from the PAC blob attached to > the Kerberos ticket. > > > > Is there a chance that information will be dropped again at any point going > forward? > > No, otherwise it's a bug. > > > > > The reason I ask is that on our sftp boxes we chroot users based on > > group membership. I set that up as an external group in freeIPA and > > the first time the user logs in to the sftp box, they are dropped in > > their normal home directory as opposed to the chroot environment. If > > there is a chance the group membership will not show up correctly > > again in the future, I'm inclined to change the chroot stanzas to match on > user as opposed to group. > > > > Is that by design? > > If you can't see the correct group memberships after a login, then something > is fishy. However, we're rebasing to sssd 1.12.x in 6.7 and there's so many > fixes and enhancements in this area..is there a chance you could try out 6.7 > beta or some custom packages? > Group memberships show up fine after the first login so it is working as expected then. The accounts are very controlled so it shouldn't be a huge sticking point. I could try out some custom packages on this box but I can't move to 6.7 until we upgrade the entire environment. Thanks much -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] trusted user groups
On Thu, May 14, 2015 at 03:33:28PM +, Andy Thompson wrote: > I've noticed that trusted users supplementary ad groups don't show up until > after the users login to the box at least once. That's expected with the versions you're running. Prior to 6.7, we could only read the trusted users' group membership from the PAC blob attached to the Kerberos ticket. > Is there a chance that information will be dropped again at any point going > forward? No, otherwise it's a bug. > > The reason I ask is that on our sftp boxes we chroot users based on group > membership. I set that up as an external group in freeIPA and the first > time the user logs in to the sftp box, they are dropped in their normal > home directory as opposed to the chroot environment. If there is a chance > the group membership will not show up correctly again in the future, I'm > inclined to change the chroot stanzas to match on user as opposed to group. > > Is that by design? If you can't see the correct group memberships after a login, then something is fishy. However, we're rebasing to sssd 1.12.x in 6.7 and there's so many fixes and enhancements in this area..is there a chance you could try out 6.7 beta or some custom packages? > > Running > > sssd-ipa-1.11.6-30.el6_6.4.x86_64 > ipa-client-3.0.0-42.el6.x86_64 > > on RHEL6x clients against a RHEL7 4.1 ipa server > > thanks > > -andy > > > > *** This communication may contain privileged and/or confidential > information. It is intended solely for the use of the addressee. If you are > not the intended recipient, you are strictly prohibited from disclosing, > copying, distributing or using any of this information. If you received this > communication in error, please contact the sender immediately and destroy the > material in its entirety, whether electronic or hard copy. *** > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] trusted user groups
I've noticed that trusted users supplementary ad groups don't show up until after the users login to the box at least once. Is there a chance that information will be dropped again at any point going forward? The reason I ask is that on our sftp boxes we chroot users based on group membership. I set that up as an external group in freeIPA and the first time the user logs in to the sftp box, they are dropped in their normal home directory as opposed to the chroot environment. If there is a chance the group membership will not show up correctly again in the future, I'm inclined to change the chroot stanzas to match on user as opposed to group. Is that by design? Running sssd-ipa-1.11.6-30.el6_6.4.x86_64 ipa-client-3.0.0-42.el6.x86_64 on RHEL6x clients against a RHEL7 4.1 ipa server thanks -andy *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
