[Freeipa-users] Re: Using Vaults with AD User // Groups

Freeipa Problem we have a freeipa --> ad setup (one way trust) our problem is we cant get external ad user // groups to work

what we did: we added the trust: Trust Settings Realm name domain.at Domain NetBIOS name DOMAIN Domain Security Identifier S-1-5-21-2435101603-3558199190-xxxxxxx Trust direction Trusting forest Trust type Active Directory domain we have trusted domains: domain.at Enabled DOMAIN S-1-5-21-2435101603-3558199190-xxxxxxx the global trust config looks like: Domain lx.domain.at Security Identifier S-1-5-21-3255425601-626398459-xxxxxx NetBIOS name LX Domain GUID 671b2faa-5129-4a5c-a410-xxxxxxx Fallback primary group Default SMB Group IPA AD trust agents ipa-ihs-prod-c81.lx.domain.at ipa-ihs-prod-c82.lx.domain.at ipa-ihs-test-c81.lx.domain.at ipa-ihs-test-c82.lx.domain.at ipa-web-prod-c81.lx.domain.at ipa-web-prod-c82.lx.domain.at ipa-web-test-c81.lx.domain.at ipa-web-test-c82.lx.domain.at IPA AD trust controllers ipa-ihs-prod-c81.lx.domain.at ipa-ihs-prod-c82.lx.domain.at ipa-ihs-test-c81.lx.domain.at ipa-ihs-test-c82.lx.domain.at ipa-web-prod-c81.lx.domain.at ipa-web-prod-c82.lx.domain.at ipa-web-test-c81.lx.domain.at ipa-web-test-c82.lx.domain.at we have those id ranges: LX.DOMAIN.AT_id_range 224200000 200000 local domain range DOMAIN.AT_id_range 800000000 200000 Active Directory domain range we executed following commands for external group like described in https://www.freeipa.org/page/Active_Directory_trust_setup#Allow_access_fo... ipa group-add --desc='u0-erdberg' u0-erdberg-verwaltung_ext --external ipa group-add --desc='u0-erdberg' u0-erdberg-verwaltung u0-erdberg-verwaltung 224200005 u0-erdberg ipa group-add-member u0-erdberg-verwaltung_ext --external 'DOMAIN\u0-erdberg-verwaltung' ipa group-add-member u0-erdberg-verwaltung --groups u0-erdberg-verwaltung_ext now i login to a freeipa managed host or an ipa server with ssh -l ad_user(a)domain.at server.lx.domain.at and check my groups i get: 224200005(u0-erdberg-verwaltung) which is the freeipa group 800089798(u0-erdberg-verwaltung(a)domain.at) which is the ad group now i added roles to the ipa group and the ipa ext group: User Group: u0-erdberg-verwaltung Role name helpdesk Enrollment Administrator vault_admin Smart Proxy Host Manager IT Specialist Security Architect IT Security Specialist User Administrator User Group: u0-erdberg-verwaltung_ext Role name IT Security Specialist vault_admin Smart Proxy Host Manager User Administrator Security Architect IT Specialist helpdesk Enrollment Administrator now the fail happens: ipa vault-add test --type=standard ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at' . }, "id": 0, "principal": &quot;ad_user(a)DOMAIN.AT&quot;, "result": null, "version": "4.7.1" } ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at'. [ad_user@domain.at(a)ipa-ihs-test-c81 ~]$ ipa -vv vault-add test --type=standard ipa: INFO: Request: { "id": 0, "method": "ping", "params": [ [], {} ] } ipa: INFO: Response: { "error": null, "id": 0, "principal": &quot;ad_user(a)DOMAIN.AT&quot;, "result": { "messages": [ { "code": 13001, "data": { "server_version": "2.230" }, "message": "API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.230", "name": "VersionMissing", "type": "warning" } ], "summary": "IPA server version 4.7.1. API version 2.230" }, "version": "4.7.1" } ipa: INFO: Request: { "id": 0, "method": "vault_add_internal/1", "params": [ [ "test" ], { "ipavaulttype": "standard", "version": "2.230" } ] } ipa: INFO: Response: { "error": { "code": 2100, "data": { "info": "Insufficient 'add' privilege to add the entry 'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at'." }, "message": "Insufficient access: Insufficient 'add' privilege to add the entry 'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at'.", "name": "ACIError" }, "id": 0, "principal": &quot;ad_user(a)DOMAIN.AT&quot;, "result": null, "version": "4.7.1" } ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at'. [ad_user@domain.at(a)ipa-ihs-test-c81 ~]$ ipa -vv vault-add test --type=standard ipa: INFO: Request: { "id": 0, "method": "ping", "params": [ [], {} ] } ipa: INFO: Response: { "error": null, "id": 0, "principal": &quot;ad_user(a)DOMAIN.AT&quot;, "result": { "messages": [ { "code": 13001, "data": { "server_version": "2.230" }, "message": "API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.230", "name": "VersionMissing", "type": "warning" } ], "summary": "IPA server version 4.7.1. API version 2.230" }, "version": "4.7.1" } ipa: INFO: Request: { "id": 0, "method": "vault_add_internal/1", "params": [ [ "test" ], { "ipavaulttype": "standard", "version": "2.230" } ] } ipa: INFO: Response: { "error": { "code": 2100, "data": { "info": "Insufficient 'add' privilege to add the entry 'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at'." }, "message": "Insufficient access: Insufficient 'add' privilege to add the entry 'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at'.", "name": "ACIError" }, "id": 0, "principal": &quot;ad_user(a)DOMAIN.AT&quot;, "result": null, "version": "4.7.1" } ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at'. -- ÖAMTC I BAUMGASSE 129 I 1030 WIEN Elias Rami | Devops Engineer M +43 664 613 1346 elias.rami(a)oeamtc.at | www.oeamtc.at<http://www.oeamtc.at/> | ÖAMTC ZVR 7300335108 ________________________________ Schenken Sie ein gutes Gefühl! Jetzt online ÖAMTC Wertgutschein kaufen, z.B. für Schutzbrief, Autobahnvignette, Reisen, Fahrtechnik, uvm. www.oeamtc-gutschein.at<https://www.oeamtc-gutschein.at> ________________________________ Wichtiger Hinweis/Important Information: Dieses E-Mail samt Anlagen („E-Mail“) dient nur zur Information. Erklärungen via E-Mail sind nicht rechtsverbindlich, sondern bedürfen der schriftlichen Bestätigung samt firmenmäßiger/statutenmäßiger Unterfertigung durch Mitglieder der Geschäftsleitung in vertretungsbefugter Anzahl. Für die Richtigkeit oder Vollständigkeit der übermittelten Informationen/Daten, für Übermittlungsfehler, für fehlgeleitete E-Mails oder für einen verspäteten Empfang wird nicht gehaftet. Eigene elektronische Empfangs- oder Lesebestätigungen gelten nicht als Bestätigung für den Erhalt eines E-Mails. Der Inhalt dieses E-Mails ist vertraulich. Wenn Sie nicht der angegebene Adressat oder dessen Vertreter sind, informieren Sie bitte umgehend den Absender und löschen Sie dieses E-Mail von Ihrem System. Die unerlaubte Weitergabe oder Nutzung ist nicht gestattet. This e-mail and any attachment (“e-mail”) serves information purposes only. Statements via e-mail are not legally binding but require written confirmation including the signatures of the required number of managing directors under statutory provisions. We are not liable for the accuracy and sufficiency of the provided information/data, for any transmission error, misdirection, loss or delay of an e-mail. Electronic reading receipts are no confirmation for receipt of an e-mail. This e-mail is confidential. If you are not the addressee or his representative, please notify the sender immediately and delete this e-mail from your system. Any disclosure or use is prohibited. ________________________________ _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...