<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> freeipa-users-bounces@redhat.com [mailto:freeipa-users-bounces@redhat.com]
<b>On Behalf Of </b>Guertin, David S.<br>
<b>Sent:</b> Friday, March 06, 2015 1:04 PM<br>
<b>To:</b> freeipa-users@redhat.com<br>
<b>Subject:</b> [Freeipa-users] Can't add AD user group to IPA group<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">I'm on my second attempt trying to set up an IPA server with a trust relationship to our AD domain. The first attempt had inexplicable problems with winbind, so this time I've set up a RHEL7 server,
and things are going better, but I'm stuck when trying to add an AD user group to an IPA group.<o:p></o:p></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">I have already:<o:p></o:p></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">- created an IPA group called ad_users.<o:p></o:p></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">- created an IPA group called ad_users_external.<o:p></o:p></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">- added ad_users_external as a member of ad_users.<o:p></o:p></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">But the final step isn't working:<o:p></o:p></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">ipa group-add-member ad_users_external --external "AD\IPA Users"<o:p></o:p></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">gives:<o:p></o:p></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">ipa: ERROR: attribute "ipaExternalMember" not allowed<o:p></o:p></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">How can I fix this?<o:p></o:p></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
<div style="mso-element:para-border-div;border:none;border-bottom:solid windowtext 1.0pt;padding:0in 0in 1.0pt 0in">
<p style="border:none;padding:0in"><span style="font-family:"Calibri","sans-serif";color:black">Also, I discovered that even without adding this AD group, every AD user in our domain can SSH to the IPA server. That's convenient for the users, but not really
what I'm looking for. Why aren't logins restricted to users in the ad_users group?<o:p></o:p></span></p>
</div>
<p><span style="font-family:"Calibri","sans-serif";color:#1F497D">Just taking the last question…<o:p></o:p></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:#1F497D">Seems the initial/default setup for IPA server is to put in an ‘allow_all’ rule. Thus you can actively manage HBAC but out of the box, it is essentially turned off by that rule.<o:p></o:p></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:#1F497D">Craig</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
</div>
</body>
</html>