[Freeipa-users] trusted user groups
Lukas Slebodnik
lslebodn at redhat.com
Thu May 14 20:41:29 UTC 2015
On (14/05/15 15:53), Andy Thompson wrote:
>> -----Original Message-----
>> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
>> bounces at redhat.com] On Behalf Of Jakub Hrozek
>> Sent: Thursday, May 14, 2015 11:46 AM
>> To: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] trusted user groups
>>
>> On Thu, May 14, 2015 at 03:33:28PM +0000, Andy Thompson wrote:
>> > I've noticed that trusted users supplementary ad groups don't show up
>> until after the users login to the box at least once.
>>
>> That's expected with the versions you're running. Prior to 6.7, we could only
>> read the trusted users' group membership from the PAC blob attached to
>> the Kerberos ticket.
>>
>>
>> > Is there a chance that information will be dropped again at any point going
>> forward?
>>
>> No, otherwise it's a bug.
>>
>> >
>> > The reason I ask is that on our sftp boxes we chroot users based on
>> > group membership. I set that up as an external group in freeIPA and
>> > the first time the user logs in to the sftp box, they are dropped in
>> > their normal home directory as opposed to the chroot environment. If
>> > there is a chance the group membership will not show up correctly
>> > again in the future, I'm inclined to change the chroot stanzas to match on
>> user as opposed to group.
>> >
>> > Is that by design?
>>
>> If you can't see the correct group memberships after a login, then something
>> is fishy. However, we're rebasing to sssd 1.12.x in 6.7 and there's so many
>> fixes and enhancements in this area..is there a chance you could try out 6.7
>> beta or some custom packages?
>>
>
>Group memberships show up fine after the first login so it is working as expected then. The accounts are very controlled so it shouldn't be a huge sticking point. I could try out some custom packages on this box but I can't move to 6.7 until we upgrade the entire environment.
>
Here you are
https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12-latest/
LS
More information about the Freeipa-users
mailing list