[Freeipa-users] HBAC with Active directory group is not working
Ben .T.George
bentech4you at gmail.com
Fri Apr 29 16:27:49 UTC 2016
surprisingly i have created some local IPA users and added to same HBAC
rule, and removed AD grop ad applied this rule to client, and that got
worked.
How can i make this AD group with HBAC working?
Regards,
Ben
On Fri, Apr 29, 2016 at 7:12 PM, Ben .T.George <bentech4you at gmail.com>
wrote:
> HI
>
> If i disable allow_all <https://freeipa.idm.local/ipa/ui/#allow_all> rule,
> i cannot able to login to client machine.
>
> On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George <bentech4you at gmail.com>
> wrote:
>
>> HI
>>
>> actually i have added Domain Admins and the user ben is not part of
>> Domain Admins. But when i login to client machine, i am getting below
>>
>> -sh-4.2$ id
>> uid=1827801104(ben at kwttestdc.com.kw) gid=1827801104(ben at kwttestdc.com.kw)
>> groups=1827801104(ben at kwttestdc.com.kw),1827800513(*domain
>> users at kwttestdc.com.kw <users at kwttestdc.com.kw>*),1827801105(sudo
>> admins at kwttestdc.com.kw)
>>
>>
>>
>> On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George <bentech4you at gmail.com>
>> wrote:
>>
>>> HI
>>>
>>> while explaning here it went wrong. actually i did is"
>>> Added external group to POSIX group"
>>>
>>> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek <jhrozek at redhat.com>
>>> wrote:
>>>
>>>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote:
>>>> > HI,
>>>> >
>>>> > "The other is that the groups might not show up on the client (do
>>>> they?)"
>>>>
>>>> id $user.
>>>>
>>>> But I think Alexander noticed the root cause.
>>>>
>>>> >
>>>> > how can i check that.
>>>> >
>>>> > Thanks
>>>> > Ben
>>>> >
>>>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhrozek at redhat.com>
>>>> wrote:
>>>> >
>>>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
>>>> > > > Hi List,
>>>> > > >
>>>> > > > I have working setup of one AD, one IPA server and one client
>>>> server. by
>>>> > > > default i can login to client server by using AD username.
>>>> > > >
>>>> > > > i want to apply HBAC rules against this client server. For that i
>>>> have
>>>> > > done
>>>> > > > below steps.
>>>> > > >
>>>> > > > 1. created External group in IPA erver
>>>> > > > 2. created local POSIX group n IPA server
>>>> > > > 3. Added AD group to external group
>>>> > > > 4. added POSIX group to external group.
>>>> > > >
>>>> > > > After that have created HBAC rule by adding both local and
>>>> external IPA
>>>> > > > groups, added sshd as service and selected service group as sudo.
>>>> > > >
>>>> > > > i have applied this HBAC rule to client server and from web UI
>>>> and while
>>>> > > > testing HBAC from web, i am getting access denied .
>>>> > >
>>>> > > Sorry, not enough info.
>>>> > >
>>>> > > One guess would be that you need to add the "sudo-i" service as
>>>> well.
>>>> > > The other is that the groups might not show up on the client (do
>>>> they?)
>>>> > >
>>>> > > Anyway, it might be good idea to follow
>>>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting
>>>> > >
>>>> > > --
>>>> > > Manage your subscription for the Freeipa-users mailing list:
>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> > > Go to http://freeipa.org for more info on the project
>>>> > >
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160429/3a7bf1a0/attachment.htm>
More information about the Freeipa-users
mailing list