[Freeipa-users] HBAC with Active directory group is not working
Ben .T.George
bentech4you at gmail.com
Fri Apr 29 15:37:26 UTC 2016
Hi
I have created 2 fresh users now and i was running below,
[root at freeipa log]# ipa hbactest --user "KWTTESTDC\jude" --host `hostname`
--service sshd
ipa: ERROR: trusted domain user not found
[root at freeipa log]# ipa hbactest --user "KWTTESTDC\muneer" --host
`hostname` --service sshd
ipa: ERROR: trusted domain user not found
but i can able to test with old users,
[root at freeipa log]# ipa hbactest --user "KWTTESTDC\Administrator" --host
`hostname` --service sshd
--------------------
Access granted: True
--------------------
Matched rules: allow_all
Not matched rules: ad_can_login
Not matched rules: local_admin_can_login
[root at freeipa log]# ipa hbactest --user "KWTTESTDC\ben" --host `hostname`
--service sshd
--------------------
Access granted: True
--------------------
Matched rules: ad_can_login
Matched rules: allow_all
Not matched rules: local_admin_can_login
Is there any sync time for trust.?
when i was trying ipa trust-fetch-domains, i am getting below
[root at freeipa log]# ipa trust-fetch-domains "kwttestdc.com.kw"
ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from
trusted forest failed. See details in the error_log
Thanks & Regards,
Ben
On Fri, Apr 29, 2016 at 6:33 PM, Ben .T.George <bentech4you at gmail.com>
wrote:
> Hi Alex,
>
> yea my mistake.
>
> i was following u this
>
>
> http://www.freeipa.org/page/Active_Directory_trust_setup#Allow_access_for_users_from_AD_domain_to_protected_resources
>
>
>
> On Fri, Apr 29, 2016 at 6:03 PM, Alexander Bokovoy <abokovoy at redhat.com>
> wrote:
>
>> On Fri, 29 Apr 2016, Ben .T.George wrote:
>>
>>> Hi List,
>>>
>>> I have working setup of one AD, one IPA server and one client server. by
>>> default i can login to client server by using AD username.
>>>
>>> i want to apply HBAC rules against this client server. For that i have
>>> done
>>> below steps.
>>>
>>> 1. created External group in IPA erver
>>> 2. created local POSIX group n IPA server
>>> 3. Added AD group to external group
>>> 4. added POSIX group to external group.
>>>
>> You should have added external group to POSIX group, not the other way
>> around.
>>
>> --
>> / Alexander Bokovoy
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160429/65b62a1a/attachment.htm>
More information about the Freeipa-users
mailing list