<div dir="ltr">Hi Dmitri,<div><br></div><div>I'd be happy to test sssd 1.13 alpha. Is there any easy was to install on Ubuntu, or do I need to pull and compile from source?</div><div><br></div><div>Thanks,</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 17, 2015 at 9:07 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"><div><div class="h5"> <div>On 04/17/2015 09:12 PM, Benjamen Keroack wrote:<br> </div> <blockquote type="cite"> <div dir="ltr">Hi, <div><br> </div> <div>We have a number of local groups on our IPA-managed servers that we add LDAP/IPA users to. This works fine locally on the server on an ad hoc basis:</div> <div><br> </div> <div>$ usermod -a -G local-group test.user</div> <div><br> </div> <div>However I'm trying to do this as part of user provisioning in IPA via user groups. I've created external user groups in IPA, then added those external groups to the user groups that new users are added to via automember rules. For example:</div> <div><br> </div> <div>local-group [external] -> [is a member of] -> developers [IPA group]</div> <div><br> </div> <div>Then I SSH into one of the servers as a user who is a member of developers:</div> <div><br> </div> <div>test.user@qa$ groups</div> <div>test.user developers qa_users</div> <div><br> </div> <div>I do not see 'local-group' membership, even after restarting sssd/rebooting. Is it possible to achieve this kind of automatic local group membership? The only alternative I can see would be to write a SUID binary that .bash_profile runs on login to add them to the applicable groups, which seems like a bad hack.</div> <div><br> </div> <div>This is IPA 4.1.0 running on RHEL 7.1. Client servers are Ubuntu Trusty.</div> <div> <div><br> </div> <div>Thanks for any help,</div> <div><br> </div> -- <br> <div> <div dir="ltr"> <div> <div dir="ltr"> <div>Benjamen Keroack</div> <div><i>Infrastructure/DevOps Engineer</i></div> <div><a href="mailto:benjamen@dollarshaveclub.com" target="_blank">benjamen@dollarshaveclub.com</a></div> <div><br> </div> </div> </div> </div> </div> </div> </div> <br> <fieldset></fieldset> <br> </blockquote> <br></div></div> It looks like you are looking for this: <a href="https://fedorahosted.org/sssd/ticket/1591" target="_blank">https://fedorahosted.org/sssd/ticket/1591</a><br> It is on the roadmap for 1.13 alpha which should be out in couple months.<br> Would you be interested to test?<span class="HOEnZb"><font color="#888888"><br> <br> <pre cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </font></span></div> <br>--<br> Manage your subscription for the Freeipa-users mailing list:<br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>Benjamen Keroack</div><div><i>Infrastructure/DevOps Engineer</i></div><div><a href="mailto:benjamen@dollarshaveclub.com" target="_blank">benjamen@dollarshaveclub.com</a></div><div><br></div></div></div></div></div> </div>