On ma, 26 marras 2018, Michael Gusek via FreeIPA-users wrote:
Thx a lot. So we will export keytabs for our AD users.
Sorry,
how this would help? Your real issue is that you cannot assign
group membership in LDAP to AD users, this is where access rights are
checked.
You can read a basic explanation at
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8-...
or more details at
https://github.com/abbra/freeipa-adusers-admins
Micha
Am 23.11.18 um 16:25 schrieb Alexander Bokovoy via FreeIPA-users:
> Not possible in centos 7.
>
> Possible in RHEL8 beta.
>
> (Sorry for being short, I'm on the phone)
>
> ----- Michael Gusek via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
wrote:
>> Hi,
>>
>> we are running FreeIPA 4.5.4 on Centos 7 with a one way trust to an
>> Active Directory. We want to allow AD users to retrieve service keytab
>> on FreeIPA managed hosts. AD users are linked to a external group, and
>> these group to a FreeIPA group. We've created a service and allowed
>> FreeIPA group (for testing external group too) to retrieve keytab. Now
>> we logged in with AD credentials to a FreeIPA managed host, got an
>> ticket with kinit user@AD-domain and tried to retrieve keytab for
>> service, which runs in an error "Failed to parse result: Insufficient
>> access rights". With an FreeIPA user, added to FreeIPA group above, it
>> works.
>>
>> So what we are missing here ? Is it possible to retrieve service keytabs
>> as a trusted AD user ?
>>
>> Thanks.
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
________________________________________________
*Michael**Gusek*| System Administrator| Webtrekk GmbH |
*t*+49 30 755 415 302| *f *+49 30 755 415 100 | *w *www.webtrekk.com
<
https://www.webtrekk.com/?wt_mc=signature.-.-.-.homepageURL>
Amtsgericht/Local Court Berlin, HRB 93435 B | Geschäftsführer/CEO
Christian Sauer und Norman Wahnschaff
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland