[Freeipa-users] trusted user groups
Lukas Slebodnik
lslebodn at redhat.com
Mon May 18 14:33:28 UTC 2015
On (18/05/15 13:55), Andy Thompson wrote:
>> -----Original Message-----
>> From: Lukas Slebodnik [mailto:lslebodn at redhat.com]
>> Sent: Thursday, May 14, 2015 4:41 PM
>> To: Andy Thompson
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] trusted user groups
>>
>> On (14/05/15 15:53), Andy Thompson wrote:
>> >> -----Original Message-----
>> >> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
>> >> bounces at redhat.com] On Behalf Of Jakub Hrozek
>> >> Sent: Thursday, May 14, 2015 11:46 AM
>> >> To: freeipa-users at redhat.com
>> >> Subject: Re: [Freeipa-users] trusted user groups
>> >>
>> >> On Thu, May 14, 2015 at 03:33:28PM +0000, Andy Thompson wrote:
>> >> > I've noticed that trusted users supplementary ad groups don't show
>> >> > up
>> >> until after the users login to the box at least once.
>> >>
>> >> That's expected with the versions you're running. Prior to 6.7, we
>> >> could only read the trusted users' group membership from the PAC blob
>> >> attached to the Kerberos ticket.
>> >>
>> >>
>> >> > Is there a chance that information will be dropped again at any
>> >> > point going
>> >> forward?
>> >>
>> >> No, otherwise it's a bug.
>> >>
>> >> >
>> >> > The reason I ask is that on our sftp boxes we chroot users based on
>> >> > group membership. I set that up as an external group in freeIPA
>> >> > and the first time the user logs in to the sftp box, they are
>> >> > dropped in their normal home directory as opposed to the chroot
>> >> > environment. If there is a chance the group membership will not
>> >> > show up correctly again in the future, I'm inclined to change the
>> >> > chroot stanzas to match on
>> >> user as opposed to group.
>> >> >
>> >> > Is that by design?
>> >>
>> >> If you can't see the correct group memberships after a login, then
>> >> something is fishy. However, we're rebasing to sssd 1.12.x in 6.7 and
>> >> there's so many fixes and enhancements in this area..is there a
>> >> chance you could try out 6.7 beta or some custom packages?
>> >>
>> >
>> >Group memberships show up fine after the first login so it is working as
>> expected then. The accounts are very controlled so it shouldn't be a huge
>> sticking point. I could try out some custom packages on this box but I can't
>> move to 6.7 until we upgrade the entire environment.
>> >
>> Here you are
>> https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12-latest/
>>
>
>To just bring this full circle, the latest sssd release reads group membership correctly without a Kerberos ticket. I tested this release on 6.6 and tested a 7.1 box and both worked without issue.
>
I'm glad it works for you.
>I just can't roll them in production yet :/
>
I see.
LS
More information about the Freeipa-users
mailing list