[Freeipa-users] Is WinSync A Bad Choice?

Lachlan Musicman datakid at gmail.com
Wed Feb 1 23:46:13 UTC 2017 

On 2 February 2017 at 10:06, Jason B. Nance <jason at tresgeek.net> wrote:

>
> >    - User/group management in general becomes largely a command-line
>> operation (such as mapping groups so they can be used in HBAC and sudo
>> rules)
>>
>> While this is a nice-to-have, it isn't a deal breaker.
>>
>
> This definitely exists in WebUI? Unless you mean something I don't
> understand.
>
> Define groups:
> Identity->User Groups (second tab)
>
> In my setup (FreeIPA 4.4.0 on CentOS 7) I don't see external users (users
> that are known via the trust with AD) under the "Users" tab.  There is
> limited visibility / management of external groups and membership, but
> nothing that displays a list of available users/groups in AD when
> attempting to create/modify a user/group.
>



Ah! Yes, I can't see all the AD users either. But adding a user to the ID
Views does fail on bad user names, which is not the same thing - I know -
but I only have a one way trust (from FreeIPA to AD) and the AD is managed
by the IT Overlords on Floor 6.

Bi directional trust may have different usage?


> Define user mappings:
> IPA Server -> ID Views -> Default Trust View
>
> By "mapping" I meant adding an AD group to a FreeIPA group (which can be
> used for HBAC/sudo) so that AD membership is known by IPA when applying the
> HBAC/sudo rules.  For example:
>
> ipa group-add \
>   --desc="lab.gen.zone 'Domain Admins' external map" \
>   lgz_map_domain_admins \
>   --external
> ipa group-add \
>   --desc="lab.gen.zone 'Domain Admins' POSIX" \
>   lgz_domain_admins
> ipa group-add-member \
>   lgz_map_domain_admins \
>   --external 'LAB\Domain Admins'
> ipa group-add-member \
>   lgz_domain_admins \
>   --groups lgz_map_domain_admins
>
>


Through the groups UI, you can add an external group (we use the naming
system "ad_my_group"), then add the AD group as an external member to that
group (add AD-DOMAIN\my_group). Then we add the local POSIX group
("my_group")  and make "ad_my_group" a member of that.


When you add a group in the groups, you will see the option for the group
to be POSIX, external or normal.

cheers
L.



------
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170202/44ec8541/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot_2017-02-02_10-41-09.png
Type: image/png
Size: 15655 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170202/44ec8541/attachment.png>

More information about the Freeipa-users mailing list