[Freeipa-users] trusted user groups
Andy Thompson
Andy.Thompson at e-tcc.com
Mon May 18 14:50:12 UTC 2015
> -----Original Message-----
> From: Lukas Slebodnik [mailto:lslebodn at redhat.com]
> Sent: Monday, May 18, 2015 10:33 AM
> To: Andy Thompson
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] trusted user groups
>
> On (18/05/15 13:55), Andy Thompson wrote:
> >> -----Original Message-----
> >> From: Lukas Slebodnik [mailto:lslebodn at redhat.com]
> >> Sent: Thursday, May 14, 2015 4:41 PM
> >> To: Andy Thompson
> >> Cc: freeipa-users at redhat.com
> >> Subject: Re: [Freeipa-users] trusted user groups
> >>
> >> On (14/05/15 15:53), Andy Thompson wrote:
> >> >> -----Original Message-----
> >> >> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> >> >> bounces at redhat.com] On Behalf Of Jakub Hrozek
> >> >> Sent: Thursday, May 14, 2015 11:46 AM
> >> >> To: freeipa-users at redhat.com
> >> >> Subject: Re: [Freeipa-users] trusted user groups
> >> >>
> >> >> On Thu, May 14, 2015 at 03:33:28PM +0000, Andy Thompson wrote:
> >> >> > I've noticed that trusted users supplementary ad groups don't
> >> >> > show up
> >> >> until after the users login to the box at least once.
> >> >>
> >> >> That's expected with the versions you're running. Prior to 6.7, we
> >> >> could only read the trusted users' group membership from the PAC
> >> >> blob attached to the Kerberos ticket.
> >> >>
> >> >>
> >> >> > Is there a chance that information will be dropped again at any
> >> >> > point going
> >> >> forward?
> >> >>
> >> >> No, otherwise it's a bug.
> >> >>
> >> >> >
> >> >> > The reason I ask is that on our sftp boxes we chroot users based
> >> >> > on group membership. I set that up as an external group in
> >> >> > freeIPA and the first time the user logs in to the sftp box,
> >> >> > they are dropped in their normal home directory as opposed to
> >> >> > the chroot environment. If there is a chance the group
> >> >> > membership will not show up correctly again in the future, I'm
> >> >> > inclined to change the chroot stanzas to match on
> >> >> user as opposed to group.
> >> >> >
> >> >> > Is that by design?
> >> >>
> >> >> If you can't see the correct group memberships after a login, then
> >> >> something is fishy. However, we're rebasing to sssd 1.12.x in 6.7
> >> >> and there's so many fixes and enhancements in this area..is there
> >> >> a chance you could try out 6.7 beta or some custom packages?
> >> >>
> >> >
> >> >Group memberships show up fine after the first login so it is
> >> >working as
> >> expected then. The accounts are very controlled so it shouldn't be a
> >> huge sticking point. I could try out some custom packages on this
> >> box but I can't move to 6.7 until we upgrade the entire environment.
> >> >
> >> Here you are
> >> https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12-latest/
> >>
> >
> >To just bring this full circle, the latest sssd release reads group membership
> correctly without a Kerberos ticket. I tested this release on 6.6 and tested a
> 7.1 box and both worked without issue.
> >
> I'm glad it works for you.
>
> >I just can't roll them in production yet :/
> >
> I see.
>
You have any insight into when 6.7 will be released?
More information about the Freeipa-users
mailing list