[Freeipa-users] HBAC with Active directory group is not working
Jakub Hrozek
jhrozek at redhat.com
Fri Apr 29 14:59:32 UTC 2016
On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
> Hi List,
>
> I have working setup of one AD, one IPA server and one client server. by
> default i can login to client server by using AD username.
>
> i want to apply HBAC rules against this client server. For that i have done
> below steps.
>
> 1. created External group in IPA erver
> 2. created local POSIX group n IPA server
> 3. Added AD group to external group
> 4. added POSIX group to external group.
>
> After that have created HBAC rule by adding both local and external IPA
> groups, added sshd as service and selected service group as sudo.
>
> i have applied this HBAC rule to client server and from web UI and while
> testing HBAC from web, i am getting access denied .
Sorry, not enough info.
One guess would be that you need to add the "sudo-i" service as well.
The other is that the groups might not show up on the client (do they?)
Anyway, it might be good idea to follow
https://fedorahosted.org/sssd/wiki/Troubleshooting
More information about the Freeipa-users
mailing list