[Freeipa-users] External (AD) groups and sudo/hbac in IPA 4.2
Lachlan Musicman
datakid at gmail.com
Wed Oct 12 04:56:26 UTC 2016
On 12 October 2016 at 15:23, Robert Sturrock <rns at unimelb.edu.au> wrote:
> Hi All.
>
> We’re attempting to setup an IPA (4.2) service on RHEL7.2 to provide
> better connectivity to our (large) organisational AD service for Linux
> clients.
>
> We have setup IPA and configured a suitable AD trust (with SID POSIX
> mapping) in the hope that users will be able to access IPA resources
> (hosts, storage) using existing AD credentials and groups. This working
> fine - we can login to Linux hosts using AD credentials and see the AD
> groups.
>
> However, it would appear that in order to use AD group membership as the
> basis for Linux HBAC or sudo, we need to firstly _map_ the AD groups to an
> equivalent IPA (POSIX) group? Is this correct?
>
> I can see that it’s possible to define ‘external’ *users* (not groups) in
> some cases, but this function appears to be deprecated.
>
> We have large numbers of groups in our AD (~50k), so obviously that’s a
> lot of mapping!
>
>
Hi Rob,
It should work with groups no problems. We found a few issues with sssd
<1.14. To get the up to date sssd for the hosts, the best bet is the COPR
repos
https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-14/
As for groups working with HBAC, it should work no problems. Yes to mapping
though. Here is the process:
1. Create an external group for your AD users/groups
2. Add AD group name to that external group (this AD group's existence will
be confirmed by IPA->AD trust or command will fail)
3. Create POSIX group
4. add group created in step 1 to group created in step 3
And here are some example commands to do that, as we executed them here, in
the same order:
ipa group-add --desc="petermac.org.au external map" ad_users_external
--external
ipa group-add-member ad_external --external 'PMCI\Bioinf-Cluster'
ipa group-add --desc="petermac.org.au AD users" ad_users
ipa group-add-member ad_users --groups ad_users_external
Let me know how you go
L.
------
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161012/6bbe3e39/attachment.htm>
More information about the Freeipa-users
mailing list