[Freeipa-users] trusted user groups

Jakub Hrozek jhrozek at redhat.com
Thu May 14 15:45:32 UTC 2015 

On Thu, May 14, 2015 at 03:33:28PM +0000, Andy Thompson wrote:
> I've noticed that trusted users supplementary ad groups don't show up until after the users login to the box at least once. 

That's expected with the versions you're running. Prior to 6.7, we could
only read the trusted users' group membership from the PAC blob attached
to the Kerberos ticket.


> Is there a chance that information will be dropped again at any point going forward?

No, otherwise it's a bug.

> 
> The reason I ask is that on our sftp boxes we chroot users based on group
> membership.  I set that up as an external group in freeIPA and the first
> time the user logs in to the sftp box, they are dropped in their normal
> home directory as opposed to the chroot environment.  If there is a chance
> the group membership will not show up correctly again in the future, I'm
> inclined to change the chroot stanzas to match on user as opposed to group.
> 
> Is that by design?

If you can't see the correct group memberships after a login, then
something is fishy. However, we're rebasing to sssd 1.12.x in 6.7 and
there's so many fixes and enhancements in this area..is there a chance
you could try out 6.7 beta or some custom packages?

> 
> Running
> 
> sssd-ipa-1.11.6-30.el6_6.4.x86_64
> ipa-client-3.0.0-42.el6.x86_64
> 
> on RHEL6x clients against a RHEL7 4.1 ipa server
> 
> thanks
> 
> -andy
> 
> 
> 
> *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. ***
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list