<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font size="+1">Hi Folks,<br>
<br>
Last week I deployed freeipa on a CentOS7 VM. The installation
went very smoothly using:<br>
<br>
yum install ipa-server<br>
<br>
and<br>
<br>
ipa-server-install<br>
<br>
<br>
My issue is with connecting a CentOS 7 client. On my client, I
yum installed ipa-client and ipa-admintools.<br>
I than ran "ipa-client-install" and answered the setup questions
(very easy and smooth).<br>
<br>
The "getent passwd" command didn't return any users, but the
"getent passwd jdoe" does give the information<br>
for the user. I found in the archives that I can set
"enumerate=True" so I get a complete user listing. That<br>
seems to be working, and I was able to login with the account
"jdoe" (brilliant!).<br>
<br>
Problem 1:<br>
========<br>
<br>
I created a user group on the ipa server with the following
attributes:<br>
<br>
name = xyx, gid = 1000<br>
<br>
I changed the user "jdoe" to have gid = 1000, but when I ssh into
the ipa client, I get the following message after<br>
logging in: <br>
<br>
</font>/usr/bin/id: cannot find name for group ID 1000<br>
<br>
A "getent group" command does list the group: xyz:*:1000:<br>
<br>
A "groups" command issued by the user shows: xyz<br>
<br>
files created by the user show the correct ownership and group.<br>
<font size="+1">
<meta charset="utf-8">
<br>
Problem 2:<br>
=======<br>
<br>
I've been looking through the freeipa groups and literature and I
can't figure out how to limit user login access to<br>
an ipa client by a memberOf group.<br>
<br>
When I was using CentOS 6 and 7 I could use the nslcd.conf file to
put in a group filter like:<br>
<br>
passwd
(&(objectClass=posixAccount)(memberOf=CN=test,OU=Groups,DC=abc,DC=xyx,DC=edu))<br>
<br>
<br>
I tried changing the access_provider to simple and using the
"simply_allow_groups = test", but that didn't work.<br>
However, using "access_provider = ipa" and "filter_users" did
allow me to filter out a user from the "getent passwd" command.<br>
<br>
I tried changing the access_provider to ldap and using the filter
"ldap_access_filter = memberOf=cn=test</font><font size="+1">=OU=Groups,DC=abc,DC=xyx,DC=edu<br>
but that failed too.<br>
<br>
<br>
I'd appreciate any suggestions<br>
<br>
Thanks,<br>
<br>
- signed an "ipa newbie"<br>
</font>
</body>
</html>