[Freeipa-users] HBAC and AD users
Alexander Bokovoy
abokovoy at redhat.com
Mon Jul 11 06:44:39 UTC 2016
On Mon, 11 Jul 2016, Lachlan Musicman wrote:
>Hola,
>
>Centos 7, up to date.
>
>[root at linuxidm ~]# ipa --version
>VERSION: 4.2.0, API_VERSION: 2.156
>
>One way trust is successfully established, can login with
>
>ssh username at domain1.com@server1.domain2.com
>
>Am testing to get HBAC to work.
>
>I've noticed that with the Allow All rule in effect, the following set up
>is sufficient:
>
>add external group "ad_external"
>add internal group, "ad_internal", add ad_external as a group member of
>ad_internal
>
>AD users can now successfully login to any server.
>
>When I tried to set up an HBAC, I couldn't get that set up to work, I
>needed to complete the extra step of adding AD users explicitly to the
>"external member" group of the external group.
>
>I also note that this seems to be explicitly user based, not group based?
>IE, I can add lachlan at domain1.com to the external members of ad_external
>and that works, but adding the group server_admins at domain1.com (as seen in
>`id lachlan at domain1.com`) doesn't allow all members access.
>
>Does that sound correct?
No, it does not.
HBAC evaluation and external group merging/resolution is done by SSSD.
Use https://fedorahosted.org/sssd/wiki/Troubleshooting to produce logs
that can help understanding what happens there.
What SSSD version do you have on both IPA client and IPA server?
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list