[Freeipa-users] Can't add AD user group to IPA group
Dmitri Pal
dpal at redhat.com
Sat Mar 7 17:11:48 UTC 2015
On 03/06/2015 03:24 PM, Craig White wrote:
>
> *From:*freeipa-users-bounces at redhat.com
> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Guertin, David S.
> *Sent:* Friday, March 06, 2015 1:04 PM
> *To:* freeipa-users at redhat.com
> *Subject:* [Freeipa-users] Can't add AD user group to IPA group
>
> I'm on my second attempt trying to set up an IPA server with a trust
> relationship to our AD domain. The first attempt had inexplicable
> problems with winbind, so this time I've set up a RHEL7 server, and
> things are going better, but I'm stuck when trying to add an AD user
> group to an IPA group.
>
> I have already:
>
> - created an IPA group called ad_users.
>
> - created an IPA group called ad_users_external.
>
Did you create this group with --external?
> - added ad_users_external as a member of ad_users.
>
> But the final step isn't working:
>
> ipa group-add-member ad_users_external --external "AD\IPA Users"
>
> gives:
>
> ipa: ERROR: attribute "ipaExternalMember" not allowed
>
> How can I fix this?
>
> Also, I discovered that even without adding this AD group, every AD
> user in our domain can SSH to the IPA server. That's convenient for
> the users, but not really what I'm looking for. Why aren't logins
> restricted to users in the ad_users group?
>
> Just taking the last question...
>
> Seems the initial/default setup for IPA server is to put in an
> 'allow_all' rule. Thus you can actively manage HBAC but out of the
> box, it is essentially turned off by that rule.
>
> Craig
>
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150307/a50f58e6/attachment.htm>
More information about the Freeipa-users
mailing list