Freeipa Problem
we have a freeipa --> ad setup (one way trust)
our problem is we cant get external ad user // groups to work
(your mail client did terrible formatting)
The issue you have is that external groups in IPA aren't used for ACI
handling in LDAP. So any access to vaults is not granted even by
assigning roles to the group that has external member.
If you are using RHEL 8.x, you should do
yum module install idm:DL1/adtrust
this will bring ipa-idoverride-memberof package which provide a plugin
to add ID overrides from the Default trust view as members of IPA groups
for the purpose of LDAP ACI checks. See the following documentation
section for details:
what we did:
we added the trust:
Trust Settings
Realm name
domain.at
Domain NetBIOS name
DOMAIN
Domain Security Identifier
S-1-5-21-2435101603-3558199190-xxxxxxx
Trust direction
Trusting forest
Trust type
Active Directory domain
we have trusted domains:
domain.at
Enabled
DOMAIN
S-1-5-21-2435101603-3558199190-xxxxxxx
the global trust config looks like:
Domain
lx.domain.at
Security Identifier
S-1-5-21-3255425601-626398459-xxxxxx
NetBIOS name
LX
Domain GUID
671b2faa-5129-4a5c-a410-xxxxxxx
Fallback primary group
Default SMB Group
IPA AD trust agents
ipa-ihs-prod-c81.lx.domain.at
ipa-ihs-prod-c82.lx.domain.at
ipa-ihs-test-c81.lx.domain.at
ipa-ihs-test-c82.lx.domain.at
ipa-web-prod-c81.lx.domain.at
ipa-web-prod-c82.lx.domain.at
ipa-web-test-c81.lx.domain.at
ipa-web-test-c82.lx.domain.at
IPA AD trust controllers
ipa-ihs-prod-c81.lx.domain.at
ipa-ihs-prod-c82.lx.domain.at
ipa-ihs-test-c81.lx.domain.at
ipa-ihs-test-c82.lx.domain.at
ipa-web-prod-c81.lx.domain.at
ipa-web-prod-c82.lx.domain.at
ipa-web-test-c81.lx.domain.at
ipa-web-test-c82.lx.domain.at
we have those id ranges:
LX.DOMAIN.AT_id_range
224200000
200000
local domain range
DOMAIN.AT_id_range
800000000
200000
Active Directory domain range
we executed following commands for external group like described in
https://www.freeipa.org/page/Active_Directory_trust_setup#Allow_access_fo...
ipa group-add --desc='u0-erdberg' u0-erdberg-verwaltung_ext --external
ipa group-add --desc='u0-erdberg' u0-erdberg-verwaltung
u0-erdberg-verwaltung
224200005
u0-erdberg
ipa group-add-member u0-erdberg-verwaltung_ext --external
'DOMAIN\u0-erdberg-verwaltung'
ipa group-add-member u0-erdberg-verwaltung --groups u0-erdberg-verwaltung_ext
now i login to a freeipa managed host or an ipa server with
ssh -l ad_user(a)domain.at server.lx.domain.at
and check my groups i get:
224200005(u0-erdberg-verwaltung) which is the freeipa group
800089798(u0-erdberg-verwaltung(a)domain.at) which is the ad group
now i added roles to the ipa group and the ipa ext group:
User Group: u0-erdberg-verwaltung
Role name
helpdesk
Enrollment Administrator
vault_admin
Smart Proxy Host Manager
IT Specialist
Security Architect
IT Security Specialist
User Administrator
User Group: u0-erdberg-verwaltung_ext
Role name
IT Security Specialist
vault_admin
Smart Proxy Host Manager
User Administrator
Security Architect
IT Specialist
helpdesk
Enrollment Administrator
now the fail happens:
ipa vault-add test --type=standard
ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry
'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at' .
},
"id": 0,
"principal": "ad_user(a)DOMAIN.AT",
"result": null,
"version": "4.7.1"
}
ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry
'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at'.
[ad_user@domain.at(a)ipa-ihs-test-c81 ~]$ ipa -vv vault-add test --type=standard
ipa: INFO: Request: {
"id": 0,
"method": "ping",
"params": [
[],
{}
]
}
ipa: INFO: Response: {
"error": null,
"id": 0,
"principal": "ad_user(a)DOMAIN.AT",
"result": {
"messages": [
{
"code": 13001,
"data": {
"server_version": "2.230"
},
"message": "API Version number was not sent, forward
compatibility not guaranteed. Assuming server's API version, 2.230",
"name": "VersionMissing",
"type": "warning"
}
],
"summary": "IPA server version 4.7.1. API version 2.230"
},
"version": "4.7.1"
}
ipa: INFO: Request: {
"id": 0,
"method": "vault_add_internal/1",
"params": [
[
"test"
],
{
"ipavaulttype": "standard",
"version": "2.230"
}
]
}
ipa: INFO: Response: {
"error": {
"code": 2100,
"data": {
"info": "Insufficient 'add' privilege to add the entry
'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at'."
},
"message": "Insufficient access: Insufficient 'add'
privilege to add the entry
'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at'.",
"name": "ACIError"
},
"id": 0,
"principal": "ad_user(a)DOMAIN.AT",
"result": null,
"version": "4.7.1"
}
ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry
'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at'.
[ad_user@domain.at(a)ipa-ihs-test-c81 ~]$ ipa -vv vault-add test --type=standard
ipa: INFO: Request: {
"id": 0,
"method": "ping",
"params": [
[],
{}
]
}
ipa: INFO: Response: {
"error": null,
"id": 0,
"principal": "ad_user(a)DOMAIN.AT",
"result": {
"messages": [
{
"code": 13001,
"data": {
"server_version": "2.230"
},
"message": "API Version number was not sent, forward
compatibility not guaranteed. Assuming server's API version, 2.230",
"name": "VersionMissing",
"type": "warning"
}
],
"summary": "IPA server version 4.7.1. API version 2.230"
},
"version": "4.7.1"
}
ipa: INFO: Request: {
"id": 0,
"method": "vault_add_internal/1",
"params": [
[
"test"
],
{
"ipavaulttype": "standard",
"version": "2.230"
}
]
}
ipa: INFO: Response: {
"error": {
"code": 2100,
"data": {
"info": "Insufficient 'add' privilege to add the entry
'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at'."
},
"message": "Insufficient access: Insufficient 'add'
privilege to add the entry
'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at'.",
"name": "ACIError"
},
"id": 0,
"principal": "ad_user(a)DOMAIN.AT",
"result": null,
"version": "4.7.1"
}
ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry
'cn=test,cn=ad_user,cn=users,cn=vaults,cn=kra,dc=lx,dc=domain,dc=at'.
--
ÖAMTC I BAUMGASSE 129 I 1030 WIEN
Elias Rami | Devops Engineer
M +43 664 613 1346
elias.rami(a)oeamtc.at |
www.oeamtc.at<http://www.oeamtc.at/> | ÖAMTC ZVR 7300335108
________________________________
Schenken Sie ein gutes Gefühl!
Jetzt online ÖAMTC Wertgutschein kaufen,
z.B. für Schutzbrief, Autobahnvignette, Reisen, Fahrtechnik, uvm.
www.oeamtc-gutschein.at<https://www.oeamtc-gutschein.at>
________________________________
Wichtiger Hinweis/Important Information:
Dieses E-Mail samt Anlagen („E-Mail“) dient nur zur Information. Erklärungen via E-Mail
sind nicht rechtsverbindlich, sondern bedürfen der schriftlichen Bestätigung samt
firmenmäßiger/statutenmäßiger Unterfertigung durch Mitglieder der Geschäftsleitung in
vertretungsbefugter Anzahl. Für die Richtigkeit oder Vollständigkeit der übermittelten
Informationen/Daten, für Übermittlungsfehler, für fehlgeleitete E-Mails oder für einen
verspäteten Empfang wird nicht gehaftet. Eigene elektronische Empfangs- oder
Lesebestätigungen gelten nicht als Bestätigung für den Erhalt eines E-Mails. Der Inhalt
dieses E-Mails ist vertraulich. Wenn Sie nicht der angegebene Adressat oder dessen
Vertreter sind, informieren Sie bitte umgehend den Absender und löschen Sie dieses E-Mail
von Ihrem System. Die unerlaubte Weitergabe oder Nutzung ist nicht gestattet.
This e-mail and any attachment (“e-mail”) serves information purposes only. Statements via
e-mail are not legally binding but require written confirmation including the signatures
of the required number of managing directors under statutory provisions. We are not liable
for the accuracy and sufficiency of the provided information/data, for any transmission
error, misdirection, loss or delay of an e-mail. Electronic reading receipts are no
confirmation for receipt of an e-mail. This e-mail is confidential. If you are not the
addressee or his representative, please notify the sender immediately and delete this
e-mail from your system. Any disclosure or use is prohibited.
________________________________
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland