Re: [Freeipa-users] Can't add AD user group to IPA group

2015-03-11 Thread Guertin, David S.
> For troubleshooting this you need to enable debug_level=10 in sssd.conf in > domain and pam sections. Restart sssd and try to login. OK, this has pinpointed the problem. The log file now shows: (Wed Mar 11 11:31:01 2015) [sssd[be[middlebury.edu]]] [sdap_save_user] (0x1000): Mapping user [guert

Re: [Freeipa-users] Can't add AD user group to IPA group

2015-03-10 Thread Alexander Bokovoy
On Tue, 10 Mar 2015, Guertin, David S. wrote: You should be able to 'see' them via getent passwd but they should not be allowed to login when HBAC_ALLOW_ALL is disabled. Ah, OK, thanks, that's what is happening. I can see them with getent passwd and id, and I can su to them, but I can't log in

Re: [Freeipa-users] Can't add AD user group to IPA group

2015-03-10 Thread Guertin, David S.
> You should be able to 'see' them via getent passwd but they should not be > allowed to login when HBAC_ALLOW_ALL is disabled. Ah, OK, thanks, that's what is happening. I can see them with getent passwd and id, and I can su to them, but I can't log in as them. On the other hand, I also can't lo

Re: [Freeipa-users] Can't add AD user group to IPA group

2015-03-10 Thread Jakub Hrozek
On Tue, Mar 10, 2015 at 11:14:21AM +, Guertin, David S. wrote: > > > Seems the initial/default setup for IPA server is to put in an 'allow_all' > > rule. Thus you can actively manage HBAC but out of the box, it is > > essentially > > turned off by that rule. > > > > Yes. The default was the o

Re: [Freeipa-users] Can't add AD user group to IPA group

2015-03-10 Thread Alexander Bokovoy
On Tue, 10 Mar 2015, Guertin, David S. wrote: > Seems the initial/default setup for IPA server is to put in an 'allow_all' rule. Thus you can actively manage HBAC but out of the box, it is essentially turned off by that rule. Yes. The default was the opposite very long time ago, you had to expli

Re: [Freeipa-users] Can't add AD user group to IPA group

2015-03-10 Thread Petr Spacek
On 10.3.2015 12:14, Guertin, David S. wrote: >>> Seems the initial/default setup for IPA server is to put in an 'allow_all' >> rule. Thus you can actively manage HBAC but out of the box, it is essentially >> turned off by that rule. >> >> Yes. The default was the opposite very long time ago, you ha

Re: [Freeipa-users] Can't add AD user group to IPA group

2015-03-10 Thread Guertin, David S.
> > Seems the initial/default setup for IPA server is to put in an 'allow_all' > rule. Thus you can actively manage HBAC but out of the box, it is essentially > turned off by that rule. > > Yes. The default was the opposite very long time ago, you had to explicitly > enable access to the box. But

Re: [Freeipa-users] Can't add AD user group to IPA group

2015-03-10 Thread Guertin, David S.
>>I have already: >>- created an IPA group called ad_users. >>- created an IPA group called ad_users_external. > Did you create this group with --external? Doh! Nope, somehow I missed that. I've done that and that part is working now. But the other part of the question remains, i.e. I'm still se

Re: [Freeipa-users] Can't add AD user group to IPA group

2015-03-08 Thread Jakub Hrozek
On Fri, Mar 06, 2015 at 08:24:28PM +, Craig White wrote: > Seems the initial/default setup for IPA server is to put in an 'allow_all' > rule. Thus you can actively manage HBAC but out of the box, it is essentially > turned off by that rule. Yes. The default was the opposite very long time ag

Re: [Freeipa-users] Can't add AD user group to IPA group

2015-03-07 Thread Dmitri Pal
On 03/06/2015 03:24 PM, Craig White wrote: *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Guertin, David S. *Sent:* Friday, March 06, 2015 1:04 PM *To:* freeipa-users@redhat.com *Subject:* [Freeipa-users] Can't add AD user group to IPA group I

Re: [Freeipa-users] Can't add AD user group to IPA group

2015-03-06 Thread Craig White
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Guertin, David S. Sent: Friday, March 06, 2015 1:04 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] Can't add AD user group to IPA group I'm on my second attempt trying to set up an IPA server