[Freeipa-users] HBAC with Active directory group is not working

Ben .T.George bentech4you at gmail.com
Fri Apr 29 15:58:11 UTC 2016 

HI

while explaning here it went wrong. actually i did is"
Added external group to POSIX group"

On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:

> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote:
> > HI,
> >
> > "The other is that the groups might not show up on the client (do they?)"
>
> id $user.
>
> But I think Alexander noticed the root cause.
>
> >
> > how can i check that.
> >
> > Thanks
> > Ben
> >
> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhrozek at redhat.com>
> wrote:
> >
> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
> > > > Hi List,
> > > >
> > > > I have working setup of one AD, one IPA server and one client
> server. by
> > > > default i can login to client server by using AD username.
> > > >
> > > > i want to apply HBAC rules against this client server. For that i
> have
> > > done
> > > > below steps.
> > > >
> > > > 1. created External group in IPA erver
> > > > 2. created local POSIX group n IPA server
> > > > 3. Added AD group to external group
> > > > 4. added POSIX group to external group.
> > > >
> > > > After that  have created HBAC rule by adding both local and external
> IPA
> > > > groups, added sshd as service and selected service group as sudo.
> > > >
> > > > i have applied this HBAC rule to client server and from web UI and
> while
> > > > testing HBAC from web, i am getting access denied .
> > >
> > > Sorry, not enough info.
> > >
> > > One guess would be that you need to add the "sudo-i" service as well.
> > > The other is that the groups might not show up on the client (do they?)
> > >
> > > Anyway, it might be good idea to follow
> > > https://fedorahosted.org/sssd/wiki/Troubleshooting
> > >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160429/804058c0/attachment.htm>

More information about the Freeipa-users mailing list