Hi,
in order to use AD users or groups in HBAC/sudo rules, you need to first
create an external group (ipa group-add --external extgrp) that will
contain your AD users/groups, then create a posix group (ipa group-add
grp) and add the external group as member of the posix group (ipa
group-add-member grp --groups extgrp).
The HBAC and sudo rules need to use the posix group, not the external group.
This is explained in "Creating IdM Groups for Active Directory Users"
[1] in the book "Windows Integration Guide".
Hope this clarifies,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
On 6/4/20 12:33 PM, Christophe BERGER via FreeIPA-users wrote:
Good morning all,
I created a lab with freeIPA and AD with a trust.
- AD domain : test.lu
- IPA domain : test2.lu
I have installed a Oracle Linux 8.2 VM as the client.
I created a freeIPA user group : tgo_admins
There are 2 members :
- ipalocaluser (local IPA account)
- aduser (AD account)
sudo ipa group-show tgo_admins
Group name: tgo_admins
External member: aduser(a)test.lu
Member users: ipalocaluser
Member of groups: admins
Member of Sudo rule: tgo_admins
Member of HBAC rule: tgo_admins
The HBAC rule allows tgo_admins to login in any machine.
The sudo rule allows tgo_admins to sudo in any machine.
- With an account created in freeIPA I can ssh to the vm :
ssh ipalocaluser(a)10.168.78.122
Last login: Thu Jun 4 14:23:43 2020 from 10.168.78.1
[ipalocaluser@ipa-test ~]$ klist
Ticket cache: KCM:703800005:58408
Default principal: ipalocaluser(a)TEST2.LU
Valid starting Expires Service principal
06/04/2020 14:24:01 06/05/2020 14:24:01 krbtgt/TEST2.LU(a)TEST2.LU
- With the ad account, it fails to login
ssh aduser@test.lu(a)10.168.78.122
aduser@test.lu(a)10.168.78.122's password:
aduser@test.lu(a)10.168.78.122's password:
The password is correct, I double checked.
From the workstation itself, the authentication looks fine :
sudo kinit aduser(a)test.lu
Password for aduser(a)test.lu:
[cbr@ipa-test ~]$ sudo klist
Ticket cache: KCM:0:28293
Default principal: aduser(a)TEST.LU
Valid starting Expires Service principal
06/04/2020 12:31:53 06/04/2020 22:31:53 krbtgt/TEST.LU(a)TEST.LU
renew until 06/05/2020 12:31:50
I can also sudo su - aduser(a)test.lu
Creating home directory for aduser(a)test.lu.
Last failed login: Thu Jun 4 14:30:52 CEST 2020 from 10.168.78.1 on ssh:notty
There were 2 failed login attempts since the last successful login.
Any idea ?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...