We do have the problem that a user from an AD group does not show up in IPA whereas all other users of this particular group do. The AD group is used for PAM authorization in Apache.
The AD group is correctly mapped in IPA. However, the AD group is a domain local group. (shouldn't these groups not work at all in combination with IPA?)
The only thing we saw immediately in the log files was "user not known to the underlying PAM module". What else should we look for?
Cheers, Ronald
On 06.06.23 08:42, Ronald Wimmer via FreeIPA-users wrote:
We do have the problem that a user from an AD group does not show up in IPA whereas all other users of this particular group do. The AD group is used for PAM authorization in Apache.
The AD group is correctly mapped in IPA. However, the AD group is a domain local group. (shouldn't these groups not work at all in combination with IPA?)
The only thing we saw immediately in the log files was "user not known to the underlying PAM module". What else should we look for?
We will, of course, follow the SSSD troubleshooting steps (https://sssd.io/troubleshooting/basics.html ) but we did not have time to do so up to this moment.
On Tue, 06 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
We do have the problem that a user from an AD group does not show up in IPA whereas all other users of this particular group do. The AD group is used for PAM authorization in Apache.
The AD group is correctly mapped in IPA. However, the AD group is a domain local group. (shouldn't these groups not work at all in combination with IPA?)
They should not.
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-authsod/597...
--------- Domain local groups: These groups can contain members from any trusted domain, but are granted permissions only to resources in their own domain. A domain administrator can create a domain local group for each resource that exists within a domain, such as file shares or printers, and then add the appropriate global groups from each domain to this domain local group. The domain administrator then assigns the appropriate permissions for the resources to the domain local group. ---------
We have https://pagure.io/freeipa/issue/6947 to prevent them from even being specified when mapping groups but this is not something we can do without SSSD giving us this information. They currently don't provide this detail.
The only thing we saw immediately in the log files was "user not known to the underlying PAM module". What else should we look for?
Don't use domain local groups from a trusted forest's domains to make decisions on access to resources in IPA. Use any of universal or domain global groups.
To make it work we: - 1) create an external group with the same name as the AD-Group and the external suffix for the AD group web-users (example: ug-web-users-external), the AD group can be seen in the External tab of this group in the Web UI - 2) create a POSIX Group with the name of the AD-Group with no suffix (example: ug-web-users), in that group, the name of the EXTERNAL GROUP can be found in the User Groups tab of the Web-UI, for that group...
Like that it works by following the chain (Posix group, External group, AD group)...
The external groups are AD like groups with Windows settings The POSIX groups are Unix Like groups with the required settings (uid, gid, shell etc... settings)
The chain allows to combine those settings on the same AD user...
Bernard LHEUREUX Linux & System Engineer http://www.win.be
-----Message d'origine----- De : Ronald Wimmer via FreeIPA-users freeipa-users@lists.fedorahosted.org Envoyé : mardi 6 juin 2023 08:47 À : freeipa-users@lists.fedorahosted.org Cc : Ronald Wimmer ronaldw@ronzo.at Objet : [Freeipa-users] Re: AD user does not show up in IPA
On 06.06.23 08:42, Ronald Wimmer via FreeIPA-users wrote:
We do have the problem that a user from an AD group does not show up in IPA whereas all other users of this particular group do. The AD group is used for PAM authorization in Apache.
The AD group is correctly mapped in IPA. However, the AD group is a domain local group. (shouldn't these groups not work at all in combination with IPA?)
The only thing we saw immediately in the log files was "user not known to the underlying PAM module". What else should we look for?
We will, of course, follow the SSSD troubleshooting steps (https://sssd.io/troubleshooting/basics.html ) but we did not have time to do so up to this moment. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
________________________________ 1/Conformément à notre certification ISO 27001, ce message et toute pièce jointe sont la propriété exclusive de Win. L’information contenue dans cet e- mail peut s’avérer confidentielle et dès lors protégée de toute divulgation. Si vous avez reçu cette communication par erreur, veuillez nous en informer immédiatement en répondant à ce message et en le supprimant de votre ordinateur, sans le copier ni le divulguer. 2/L’acceptation de toute offre commerciale (quel qu’en soit le support) emporte l’adhésion aux descriptifs (notamment techniques) inhérents aux solutions offertes, ainsi qu’aux conditions commerciales générales de Win, consultables via https://www.win.be/cgv DISCLAIMER : https://www.win.be/fr-win/disclaimer.htm
On 06.06.23 08:59, Alexander Bokovoy wrote:
On Tue, 06 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
We do have the problem that a user from an AD group does not show up in IPA whereas all other users of this particular group do. The AD group is used for PAM authorization in Apache.
The AD group is correctly mapped in IPA. However, the AD group is a domain local group. (shouldn't these groups not work at all in combination with IPA?)
They should not.
That's what I remembered. We will correct this as a first step. If the user still does not show up after that, I'll get back to this thread.
Cheers, Ronald
freeipa-users@lists.fedorahosted.org