Hi,
I have connected my FreeIPA server with an AD in trust. Is it possible to assign special permissions (sudo) to some AD users? I noticed that the policies can only be set to AD group.
Thanks in advance, Daniele
On ti, 30 tammi 2018, Daniele Liciotti via FreeIPA-users wrote:
Hi,
I have connected my FreeIPA server with an AD in trust. Is it possible to assign special permissions (sudo) to some AD users? I noticed that the policies can only be set to AD group.
Policies can only be assigned to POSIX users/groups. Thus, if you have AD users or groups mapped to POSIX groups, you can get it working.
Add posix group: ipa group-add foo
Add an external, non-POSIX group: ipa group-add --external foo_external
Add an external user to an external group: ipa group-add-member foo_external --external user@ad.domain
The member you add can be anything IPA could resolve into a SID, so a user or a group from a trusted AD domain.
Add this external group to a POSIX group as a member: ipa group-add-member foo --groups=foo_external
Then use the POSIX 'foo' group in your sudo rules.
Perfect. The example has been very clear. Thank you very much!
Regards, Daniele
On 30 January 2018 at 11:00, Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 30 tammi 2018, Daniele Liciotti via FreeIPA-users wrote:
Hi,
I have connected my FreeIPA server with an AD in trust. Is it possible to assign special permissions (sudo) to some AD users? I noticed that the policies can only be set to AD group.
Policies can only be assigned to POSIX users/groups. Thus, if you have AD users or groups mapped to POSIX groups, you can get it working.
Add posix group: ipa group-add foo
Add an external, non-POSIX group: ipa group-add --external foo_external
Add an external user to an external group: ipa group-add-member foo_external --external user@ad.domain
The member you add can be anything IPA could resolve into a SID, so a user or a group from a trusted AD domain.
Add this external group to a POSIX group as a member: ipa group-add-member foo --groups=foo_external
Then use the POSIX 'foo' group in your sudo rules.
/ Alexander Bokovoy
freeipa-users@lists.fedorahosted.org