I tried to apply an ID-View to a single AD-User. The first thing I noticed that the short user name did not work anymore upon SSH login. I had to specifiy the user name with its FQDN.
The second problem I noticed is that under RHEL 9 that particular user somehow "lost" all its groups. The only group the id command revealed was the one with the user's UID. So group-based sudo permissions stopped working...
Cheers, Ronald
Hi,
can you provide more details? Did you use the "Default Trust View" idview or did you create another one? Which attributes did you override for your AD user?
flo
On Thu, May 11, 2023 at 11:02 AM Ronald Wimmer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I tried to apply an ID-View to a single AD-User. The first thing I noticed that the short user name did not work anymore upon SSH login. I had to specifiy the user name with its FQDN.
The second problem I noticed is that under RHEL 9 that particular user somehow "lost" all its groups. The only group the id command revealed was the one with the user's UID. So group-based sudo permissions stopped working...
Cheers, Ronald _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On 12.05.23 11:35, Florence Blanc-Renaud via FreeIPA-users wrote:
Hi,
can you provide more details? Did you use the "Default Trust View" idview or did you create another one? Which attributes did you override for your AD user?
Of course I can. I should have provided more info in the first place...
I created an own ID view called "zsh" which overrides the login shell for certain users on certain hosts (currently 2 hosts, one running CentOS 7.9 and the other one running OL 9.1)
Hi,
On Fri, May 12, 2023 at 5:47 PM Ronald Wimmer ronaldw@ronzo.at wrote:
On 12.05.23 11:35, Florence Blanc-Renaud via FreeIPA-users wrote:
Hi,
can you provide more details? Did you use the "Default Trust View" idview or did you create another one? Which attributes did you override for your AD user?
Of course I can. I should have provided more info in the first place...
I created an own ID view called "zsh" which overrides the login shell for certain users on certain hosts (currently 2 hosts, one running CentOS 7.9 and the other one running OL 9.1)
Are those hosts IPA servers or IPA clients? I'm asking because it's not supported to apply an ID view on IPA servers, except for the "Default Trust View" (see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... and https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm... ).
flo
On 15.05.23 10:34, Florence Blanc-Renaud wrote:
Hi,
On Fri, May 12, 2023 at 5:47 PM Ronald Wimmer <ronaldw@ronzo.at mailto:ronaldw@ronzo.at> wrote:
On 12.05.23 11:35, Florence Blanc-Renaud via FreeIPA-users wrote: > Hi, > > can you provide more details? Did you use the "Default Trust View" > idview or did you create another one? Which attributes did you override > for your AD user? Of course I can. I should have provided more info in the first place... I created an own ID view called "zsh" which overrides the login shell for certain users on certain hosts (currently 2 hosts, one running CentOS 7.9 and the other one running OL 9.1)
Are those hosts IPA servers or IPA clients?
No. Both are IPA clients.
freeipa-users@lists.fedorahosted.org