Hi - I have an IPA setup (4.6.6) with a trust to AD servers. The users can login to the
servers via ssh and everything is allowed via HBAC groups.
I have some users that are admins so I created an all-servers access group.
But when I issue the "id" or "groups" command, users are reported
being member of groups they don't belong to, for example:
User id094844 (an external user in AD), is reported member of:
[root@el6983 ~]# id id094844 | tr ',' '\n' | grep acc
1856201464(acc-devredhat-hbac-usergroup(a)dev.ipa.bc)
1856233001(acc-el2720-hbac-usergroup(a)dev.ipa.bc)
1856230575(acc-el2740-hbac-usergroup(a)dev.ipa.bc)
1856231052(acc-el2741-hbac-usergroup(a)dev.ipa.bc)
[...]
But if I check the group membership of acc-el2740-hbac-usergroup (my POSIX group):
[root@el6983 ~]# ipa group-show acc-el2740-hbac-usergroup
Group name: acc-el2740-hbac-usergroup
GID: 1856230575
Member users: id999026
Member groups: acc-el2740-hbac-usergroup-ext, ai-it_rpa_accesses, cmos,
is-storage_backup_bo, is-storage_backup_fo
Member of HBAC rule: acc-el2740-hbac
Indirect Member users: abiaload, abidload
Indirect Member groups: ai-it_rpa_accesses-extgrp, is-storage_backup_fo-extgrp,
is-storage_backup_bo-extgrp, cmos-
extgrp
# Checking my external group:
[root@el6983 ~]# ipa group-show acc-el2740-hbac-usergroup-ext
Group name: acc-el2740-hbac-usergroup-ext
Member of groups: acc-el2740-hbac-usergroup
Indirect Member of HBAC rule: acc-el2740-hbac
And id094844 isn't member of any groups nested in acc-el2740-hbac-usergroup
As we have a lot of servers, I'm afraid that we'll get a lot of membership once
our migration is over... Any way to fix this?
Thanks!
Sébastien Toulmonde
Linux Engineering | ITS Linux CC
[Proximus]<http://www.proximus.be/>
Connect with us on:
[Proximus
Facebook]<https://www.facebook.com/proximusBe> [Proximus Twitter]
<
https://twitter.com/proximus> [Proximus YouTube]
<
https://www.youtube.com/proximus> [Proximus LinkedIn]
<
https://www.linkedin.com/company/proximus>
Sensitivity: Internal Use Only
This e-mail cannot be used for other purposes than Proximus business use. See more on
https://www.proximus.be/maildisclaimer