[SSSD-users] Re: net groups with IPA

2017-11-08 Thread Michael Ströder
Charles Hedrick wrote: > In my opinion the whole rfc3704bis implementation of net groups is wonky. Since you seem to be using FreeIPA wouldn't it be a better solution to implement a script for converting your netgroups into HBAC rules? I never did this myself though. Ciao, Michael. smime.p7s

[SSSD-users] Re: net groups with IPA

2017-11-08 Thread Charles Hedrick
In my opinion the whole rfc3704bis implementation of net groups is wonky. This isn’t the only problem. Why is there a distinction between internal and external hosts? Suppose I add an external host to a net group, and later do ipa host-add for it. If the distinction actually matters I’d expect

[SSSD-users] Re: net groups with IPA

2017-11-08 Thread Jakub Hrozek
Pavel, does this sound like the bug you were looking at wrt sudo lately? On Wed, Nov 08, 2017 at 09:46:25PM +, Charles Hedrick wrote: > Netapp wants the domain field to be blank. That leaves us a problem that’s > hard to solve. > > On Nov 8, 2017, at 4:41 PM, Charles Hedrick >

[SSSD-users] Re: net groups with IPA

2017-11-08 Thread Charles Hedrick
Netapp wants the domain field to be blank. That leaves us a problem that’s hard to solve. On Nov 8, 2017, at 4:41 PM, Charles Hedrick > wrote: OK, I see what’s going on, but it looks like a bug. We mostly use net groups for hosts. In NIS our

[SSSD-users] Re: net groups with IPA

2017-11-08 Thread Charles Hedrick
OK, I see what’s going on, but it looks like a bug. We mostly use net groups for hosts. In NIS our entries like like (hostname,,) You can put that into IPA by specifying NISdomain=, i.e. blank domain name. However if you do that, getent shows no entries. That is, entries with blank hostname

[SSSD-users] net groups with IPA

2017-11-08 Thread Charles Hedrick
We want to move our net groups from NIS to IPA. I’ve loaded the groups. They’re visible on a system that uses nslcd pointed at the IPA server. But the systems that use SSSD for authentication don’t show anything. The net groups all show as undefined. I’ve turned on debugging and looked at the

[SSSD-users] Re: How to match multiple access filter for a uid

2017-11-08 Thread Asif Iqbal
On Wed, Nov 8, 2017 at 3:39 PM, Sumit Bose wrote: > On Wed, Nov 08, 2017 at 02:39:46PM -0500, Asif Iqbal wrote: > > On Thu, Nov 2, 2017 at 12:05 PM, Asif Iqbal wrote: > > > > > Hi > > > > > > I like to authenticate user based on uid if meets the following two

[SSSD-users] Re: How to match multiple access filter for a uid

2017-11-08 Thread Sumit Bose
On Wed, Nov 08, 2017 at 02:39:46PM -0500, Asif Iqbal wrote: > On Thu, Nov 2, 2017 at 12:05 PM, Asif Iqbal wrote: > > > Hi > > > > I like to authenticate user based on uid if meets the following two > > requirements > > > > ldap_search_base = ou=People,dc=mnet,dc=qintra,dc=com >