Re: [Freeipa-users] AD users not visible in FreeIPA mapped group

2015-07-15 Thread Jakub Hrozek
On Wed, Jul 15, 2015 at 01:09:42PM -0700, Angelo Pantano wrote:
 SSSD is able to evaluate group membership, but if for instance I create a
 view for my user and I add a ssh public key I can only use it to login
 passwordless in the IPA server, not on an IPA client. The password still
 works, but I see nothing in the sssd logs that explains why the pubkey was
 rejected on the IPA client. Could be that the client is not really aware
 that there is a view override? I thought that the external mapping would
 facilitate this..

The views usage is new to me in this thread. Please note there was a
number of bugs in the views functionality in 7.1 that were not fixes in
a 7.1.z stream so far. If you have a test setup, then it would be best
to try and reproduce the bug with the latest 1.12 packages from a COPR
repo we have. Would that be possible?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] AD users not visible in FreeIPA mapped group

2015-07-15 Thread Angelo Pantano
SSSD is able to evaluate group membership, but if for instance I create a
view for my user and I add a ssh public key I can only use it to login
passwordless in the IPA server, not on an IPA client. The password still
works, but I see nothing in the sssd logs that explains why the pubkey was
rejected on the IPA client. Could be that the client is not really aware
that there is a view override? I thought that the external mapping would
facilitate this..

On Mon, Jul 13, 2015 at 11:46 PM, Alexander Bokovoy aboko...@redhat.com
wrote:

 On Mon, 13 Jul 2015, Angelo Pantano wrote:

 I have the same entry there, my question is that I don't understand why it
 doesn't it give me any visibility of the AD users mapped in that group, I
 mean I just see that entry, but what's that supposed to do? It doesn't
 really change anything with or without, I am missing the supposed value of
 having the AD users mapped in a FreeIPA posix group.

 I was expecting to see the AD users in that group, but I got nothing.. I'm
 a bit confused

 Read the documentation.

 Once you added AD user or group as external member of an external IPA
 group and then added this group as a member of IPA POSIX group, the user
 belonging to AD group would appear as a member of IPA POSIX group:

 # id administra...@adx.test
 uid=1878600500(administra...@adx.test)
 gid=1878600500(administra...@adx.test)
 groups=1878600500(administra...@adx.test),1878600520(group policy
 creator own...@adx.test),1878600519(enterprise
 adm...@adx.test),1878600512(domain adm...@adx.test),1878600518(schema
 adm...@adx.test),1878600513(domain us...@adx.test),163447(ad_admins)

 You wouldn't see this in the web UI because web UI is showing what is in
 the LDAP, not what is visible in the system when SSSD evaluates the
 group membership.
 --
 / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD users not visible in FreeIPA mapped group

2015-07-14 Thread Alexander Bokovoy

On Mon, 13 Jul 2015, Angelo Pantano wrote:

I have the same entry there, my question is that I don't understand why it
doesn't it give me any visibility of the AD users mapped in that group, I
mean I just see that entry, but what's that supposed to do? It doesn't
really change anything with or without, I am missing the supposed value of
having the AD users mapped in a FreeIPA posix group.

I was expecting to see the AD users in that group, but I got nothing.. I'm
a bit confused

Read the documentation.

Once you added AD user or group as external member of an external IPA
group and then added this group as a member of IPA POSIX group, the user
belonging to AD group would appear as a member of IPA POSIX group:

# id administra...@adx.test
uid=1878600500(administra...@adx.test)
gid=1878600500(administra...@adx.test)
groups=1878600500(administra...@adx.test),1878600520(group policy
creator own...@adx.test),1878600519(enterprise
adm...@adx.test),1878600512(domain adm...@adx.test),1878600518(schema
adm...@adx.test),1878600513(domain us...@adx.test),163447(ad_admins)

You wouldn't see this in the web UI because web UI is showing what is in
the LDAP, not what is visible in the system when SSSD evaluates the
group membership.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] AD users not visible in FreeIPA mapped group

2015-07-14 Thread Jan Pazdziora
On Tue, Jul 14, 2015 at 09:46:00AM +0300, Alexander Bokovoy wrote:
 adm...@adx.test),1878600513(domain us...@adx.test),163447(ad_admins)
 
 You wouldn't see this in the web UI because web UI is showing what is in
 the LDAP, not what is visible in the system when SSSD evaluates the
 group membership.

Would it make sense to have a way of running the SSSD evaluation from
the WebUI and showing the results there? Clearly distinguished from
the LDAP data, yet exposed in the WebUI ...

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] AD users not visible in FreeIPA mapped group

2015-07-14 Thread Jan Pazdziora
On Tue, Jul 14, 2015 at 11:06:20AM +0300, Alexander Bokovoy wrote:
 On Tue, 14 Jul 2015, Jan Pazdziora wrote:
 
 Would it make sense to have a way of running the SSSD evaluation from
 the WebUI and showing the results there? Clearly distinguished from
 the LDAP data, yet exposed in the WebUI ...
 Definitely not here. We have checks for HBAC rules with AD users that
 explicitly take external group membership into account already.
 
 Resolving AD group membership is time-consuming operation and adding it
 into a normal path is going to slow down everything.

Sure. So how about separate tab, which could also ask for confirmation
if the user wants to run the enumeration?

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] AD users not visible in FreeIPA mapped group

2015-07-14 Thread Alexander Bokovoy

On Tue, 14 Jul 2015, Jan Pazdziora wrote:

On Tue, Jul 14, 2015 at 09:46:00AM +0300, Alexander Bokovoy wrote:

adm...@adx.test),1878600513(domain us...@adx.test),163447(ad_admins)

You wouldn't see this in the web UI because web UI is showing what is in
the LDAP, not what is visible in the system when SSSD evaluates the
group membership.


Would it make sense to have a way of running the SSSD evaluation from
the WebUI and showing the results there? Clearly distinguished from
the LDAP data, yet exposed in the WebUI ...

Definitely not here. We have checks for HBAC rules with AD users that
explicitly take external group membership into account already.

Resolving AD group membership is time-consuming operation and adding it
into a normal path is going to slow down everything.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] AD users not visible in FreeIPA mapped group

2015-07-14 Thread Angelo Pantano
I have the same entry there, my question is that I don't understand why it
doesn't it give me any visibility of the AD users mapped in that group, I
mean I just see that entry, but what's that supposed to do? It doesn't
really change anything with or without, I am missing the supposed value of
having the AD users mapped in a FreeIPA posix group.

I was expecting to see the AD users in that group, but I got nothing.. I'm
a bit confused

On Mon, Jul 13, 2015 at 10:52 PM, Alexander Bokovoy aboko...@redhat.com
wrote:

 On Mon, 13 Jul 2015, Angelo Pantano wrote:

 I added the external groups to map my Domain Admins AD group like the
 freeipa documentation suggests:

 # ipa group-add --desc='ad_domain admins external map' ad_admins_external
 --external
 # ipa group-add --desc='ad_domain admins' ad_admins
 # ipa group-add-member ad_admins_external --external 'ad_netbios\Domain
 Admins'
 # ipa group-add-member ad_admins --groups ad_admins_external

 But I dont see any user in the web interface under ad_admins or
 ad_admins_external. I thought that this would give us a view of the AD
 users in FreeIPA, but I dont see any difference..
 Am I missing something here?

 Where did you look them?

 External members for ad_admins_external group would be under 'external'
 tab, like in the attached screenshot.

 --
 / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD users not visible in FreeIPA mapped group

2015-07-13 Thread Alexander Bokovoy

On Mon, 13 Jul 2015, Angelo Pantano wrote:

I added the external groups to map my Domain Admins AD group like the
freeipa documentation suggests:

# ipa group-add --desc='ad_domain admins external map' ad_admins_external
--external
# ipa group-add --desc='ad_domain admins' ad_admins
# ipa group-add-member ad_admins_external --external 'ad_netbios\Domain
Admins'
# ipa group-add-member ad_admins --groups ad_admins_external

But I dont see any user in the web interface under ad_admins or
ad_admins_external. I thought that this would give us a view of the AD
users in FreeIPA, but I dont see any difference..
Am I missing something here?

Where did you look them?

External members for ad_admins_external group would be under 'external'
tab, like in the attached screenshot.

--
/ Alexander Bokovoy
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project