I have integrated freeipa with AD via a two way trust. However I now have a problem
How do I add my AD users logging in to linux clients to the local machines docker group so that they can run docker. Any help would be appreciated. Thanks everyone!
Sameer K Gurung
Have a look at https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Am 30. Juli 2023 11:17:37 MESZ schrieb Sameer Gurung via FreeIPA-users freeipa-users@lists.fedorahosted.org:
I have integrated freeipa with AD via a two way trust. However I now have a problem
How do I add my AD users logging in to linux clients to the local machines docker group so that they can run docker. Any help would be appreciated. Thanks everyone!
Sameer K Gurung
-- This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Saint Mary's College, Shillong, Meghalaya, India-793003, smcs.ac.in http://smcs.ac.in
I have followed the link you sent and managed to add users to the local docker group when the users are in FreeIPA. However in my case they are AD users logging in to linux clients through the IPA AD trust
*Sameer Kr. Gurung*
On Sun, Jul 30, 2023 at 6:07 PM Ronald Wimmer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Have a look at https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Am 30. Juli 2023 11:17:37 MESZ schrieb Sameer Gurung via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
I have integrated freeipa with AD via a two way trust. However I now have a problem
How do I add my AD users logging in to linux clients to the local machines docker group so that they can run docker. Any help would be appreciated. Thanks everyone!
Sameer K Gurung
This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Saint Mary's College, Shillong, Meghalaya, India-793003, smcs.ac.in
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
The referenced thread is about merging local and IPA groups. Not explicitly about the direction.
Cheers, Ronald
On 30.07.23 17:54, Sameer Gurung via FreeIPA-users wrote:
I have followed the link you sent and managed to add users to the local docker group when the users are in FreeIPA. However in my case they are AD users logging in to linux clients through the IPA AD trust
*Sameer Kr. Gurung*
On Sun, Jul 30, 2023 at 6:07 PM Ronald Wimmer via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
Have a look at https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/WR7JQOMWCEXNABNSZGFF2FYN6ENEHEIB/#BBVO35ZP4YFI7C27NASZLYWRWDFY6DRH <https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/WR7JQOMWCEXNABNSZGFF2FYN6ENEHEIB/#BBVO35ZP4YFI7C27NASZLYWRWDFY6DRH> Am 30. Juli 2023 11:17:37 MESZ schrieb Sameer Gurung via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>: I have integrated freeipa with AD via a two way trust. However I now have a problem How do I add my AD users logging in to linux clients to the local machines docker group so that they can run docker. Any help would be appreciated. Thanks everyone! Sameer K Gurung This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Saint Mary's College, Shillong, Meghalaya, India-793003, smcs.ac.in <http://smcs.ac.in> _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ <https://docs.fedoraproject.org/en-US/project/code-of-conduct/> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines <https://fedoraproject.org/wiki/Mailing_list_guidelines> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org <https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue <https://pagure.io/fedora-infrastructure/new_issue>
This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Saint Mary's College, Shillong, Meghalaya, India-793003, smcs.ac.in http://smcs.ac.in
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Sun, Jul 30, 2023 at 10:20 PM Ronald Wimmer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
The referenced thread is about merging local and IPA groups. Not explicitly about the direction.
Cheers, Ronald
I dont quite follow. I have added a docker group to freeipa with the --external option. Then added my AD user to this group.. this works fine. However at the client group merging does not take place. the AD user is not added to the local docker group of the client
On 30.07.23 17:54, Sameer Gurung via FreeIPA-users wrote:
I have followed the link you sent and managed to add users to the local docker group when the users are in FreeIPA. However in my case they are AD users logging in to linux clients through the IPA AD trust
*Sameer Kr. Gurung*
On Sun, Jul 30, 2023 at 6:07 PM Ronald Wimmer via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
Have a look at
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... < https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Am 30. Juli 2023 11:17:37 MESZ schrieb Sameer Gurung via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>: I have integrated freeipa with AD via a two way trust. However I now have a problem How do I add my AD users logging in to linux clients to the local machines docker group so that they can run docker. Any help would be appreciated. Thanks everyone! Sameer K Gurung This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Saint Mary's College, Shillong, Meghalaya, India-793003, smcs.ac.in <http://smcs.ac.in> _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ <https://docs.fedoraproject.org/en-US/project/code-of-conduct/> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines <https://fedoraproject.org/wiki/Mailing_list_guidelines> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... < https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue <https://pagure.io/fedora-infrastructure/new_issue>
This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Saint Mary's College, Shillong, Meghalaya, India-793003, smcs.ac.in http://smcs.ac.in
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
-- Ronald Wimmer Zachgasse 12/Haus 7 1220 Wien Tel: +43 680 149 37 99 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Пан, 31 ліп 2023, Sameer Gurung via FreeIPA-users wrote:
On Sun, Jul 30, 2023 at 10:20 PM Ronald Wimmer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
The referenced thread is about merging local and IPA groups. Not explicitly about the direction.
Cheers, Ronald
I dont quite follow. I have added a docker group to freeipa with the --external option. Then added my AD user to this group.. this works fine. However at the client group merging does not take place. the AD user is not added to the local docker group of the client
You are using it wrong way.
'external' group in IPA is not a POSIX group. It is supposed to be included into a POSIX group and then SSSD on the client system will pull all external references from 'external' group when building up a membership of the POSIX group. That's why the documentation talks about two-group buildup:
- create an 'external' group and add AD objects as members of it - create a POSIX group and add the 'external' group as a member
Group merging feature in glibc works only for POSIX groups because these are the only groups that exist in POSIX environment where glibc operates. Unless an AD user is pulled into the POSIX group, the group cannot see the AD user as a member.
So you should create a 'docker-external' 'external' group and add users there. Then create a 'docker' group in IPA and add 'docker-external' group as a member there. Then, upon login to a system governed by SSSD this 'docker' group membership will be filled in by SSSD for the AD user and glibc will handle group merging on top of that.
On 30.07.23 17:54, Sameer Gurung via FreeIPA-users wrote:
I have followed the link you sent and managed to add users to the local docker group when the users are in FreeIPA. However in my case they are AD users logging in to linux clients through the IPA AD trust
*Sameer Kr. Gurung*
On Sun, Jul 30, 2023 at 6:07 PM Ronald Wimmer via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
Have a look at
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... < https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Am 30. Juli 2023 11:17:37 MESZ schrieb Sameer Gurung via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>: I have integrated freeipa with AD via a two way trust. However I now have a problem How do I add my AD users logging in to linux clients to the local machines docker group so that they can run docker. Any help would be appreciated. Thanks everyone! Sameer K Gurung This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Saint Mary's College, Shillong, Meghalaya, India-793003, smcs.ac.in <http://smcs.ac.in> _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ <https://docs.fedoraproject.org/en-US/project/code-of-conduct/> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines <https://fedoraproject.org/wiki/Mailing_list_guidelines> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... < https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue <https://pagure.io/fedora-infrastructure/new_issue>
This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Saint Mary's College, Shillong, Meghalaya, India-793003, smcs.ac.in http://smcs.ac.in
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
-- Ronald Wimmer Zachgasse 12/Haus 7 1220 Wien Tel: +43 680 149 37 99 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Saint Mary's College, Shillong, Meghalaya, India-793003, smcs.ac.in http://smcs.ac.in
On Mon, 31 Jul, 2023, 12:53 Alexander Bokovoy, abokovoy@redhat.com wrote:
On Пан, 31 ліп 2023, Sameer Gurung via FreeIPA-users wrote:
On Sun, Jul 30, 2023 at 10:20 PM Ronald Wimmer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
The referenced thread is about merging local and IPA groups. Not explicitly about the direction.
Cheers, Ronald
I dont quite follow. I have added a docker group to freeipa with the --external option. Then added my AD user to this group.. this works fine. However at the client group merging does not take place. the AD user is
not
added to the local docker group of the client
You are using it wrong way.
'external' group in IPA is not a POSIX group. It is supposed to be included into a POSIX group and then SSSD on the client system will pull all external references from 'external' group when building up a membership of the POSIX group. That's why the documentation talks about two-group buildup:
- create an 'external' group and add AD objects as members of it
- create a POSIX group and add the 'external' group as a member
Group merging feature in glibc works only for POSIX groups because these are the only groups that exist in POSIX environment where glibc operates. Unless an AD user is pulled into the POSIX group, the group cannot see the AD user as a member.
So you should create a 'docker-external' 'external' group and add users there. Then create a 'docker' group in IPA and add 'docker-external' group as a member there. Then, upon login to a system governed by SSSD this 'docker' group membership will be filled in by SSSD for the AD user and glibc will handle group merging on top of that.
I thought this had solved my problem but after the recent update to freeipa, group merging no longer works.
1. New AD users added to the docker-external group are not added to the local machines docker group.
2. AD users that were already in the docker-external group and were added to the local machines docker group no longer have permission to run docker. Running the id command to check user details shows them to be member of the docker group but the id of the docker group is the id of the freeipa docker posix group.
On 30.07.23 17:54, Sameer Gurung via FreeIPA-users wrote:
I have followed the link you sent and managed to add users to the
local
docker group when the users are in FreeIPA. However in my case they
are
AD users logging in to linux clients through the IPA AD trust
*Sameer Kr. Gurung*
On Sun, Jul 30, 2023 at 6:07 PM Ronald Wimmer via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
Have a look at
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Am 30. Juli 2023 11:17:37 MESZ schrieb Sameer Gurung via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>: I have integrated freeipa with AD via a two way trust.
However I
now have a problem How do I add my AD users logging in to linux clients to the local machines docker group so that they can run docker. Any help would be appreciated. Thanks everyone! Sameer K Gurung This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail
from
your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept
liability
for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If
verification
is required please request a hard-copy version. Saint Mary's College, Shillong, Meghalaya, India-793003, smcs.ac.in <http://smcs.ac.in> _______________________________________________ FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ <https://docs.fedoraproject.org/en-US/project/code-of-conduct/> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines <https://fedoraproject.org/wiki/Mailing_list_guidelines> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue <https://pagure.io/fedora-infrastructure/new_issue>
This message contains confidential information and is intended only
for
the individual named. If you are not the named addressee you should
not
disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for
any
errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Saint Mary's College, Shillong, Meghalaya, India-793003, smcs.ac.in http://smcs.ac.in
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
-- Ronald Wimmer Zachgasse 12/Haus 7 1220 Wien Tel: +43 680 149 37 99 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- This message contains confidential information and is intended only for
the
individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Saint Mary's College, Shillong, Meghalaya, India-793003, smcs.ac.in http://smcs.ac.in
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On Срд, 09 жні 2023, Sameer Gurung wrote:
On Mon, 31 Jul, 2023, 12:53 Alexander Bokovoy, abokovoy@redhat.com wrote:
On Пан, 31 ліп 2023, Sameer Gurung via FreeIPA-users wrote:
On Sun, Jul 30, 2023 at 10:20 PM Ronald Wimmer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
The referenced thread is about merging local and IPA groups. Not explicitly about the direction.
Cheers, Ronald
I dont quite follow. I have added a docker group to freeipa with the --external option. Then added my AD user to this group.. this works fine. However at the client group merging does not take place. the AD user is
not
added to the local docker group of the client
You are using it wrong way.
'external' group in IPA is not a POSIX group. It is supposed to be included into a POSIX group and then SSSD on the client system will pull all external references from 'external' group when building up a membership of the POSIX group. That's why the documentation talks about two-group buildup:
- create an 'external' group and add AD objects as members of it
- create a POSIX group and add the 'external' group as a member
Group merging feature in glibc works only for POSIX groups because these are the only groups that exist in POSIX environment where glibc operates. Unless an AD user is pulled into the POSIX group, the group cannot see the AD user as a member.
So you should create a 'docker-external' 'external' group and add users there. Then create a 'docker' group in IPA and add 'docker-external' group as a member there. Then, upon login to a system governed by SSSD this 'docker' group membership will be filled in by SSSD for the AD user and glibc will handle group merging on top of that.
I thought this had solved my problem but after the recent update to freeipa, group merging no longer works.
- New AD users added to the docker-external group are not added to the
local machines docker group.
- AD users that were already in the docker-external group and were added
to the local machines docker group no longer have permission to run docker. Running the id command to check user details shows them to be member of the docker group but the id of the docker group is the id of the freeipa docker posix group.
Since user/group data properly comes from IPA, you need to check your client system configuration. Group merging is a feature of glibc and is driven by the configuration in /etc/nsswitch.conf.
On Wed, Aug 9, 2023 at 7:44 PM Alexander Bokovoy abokovoy@redhat.com wrote:
On Срд, 09 жні 2023, Sameer Gurung wrote:
On Mon, 31 Jul, 2023, 12:53 Alexander Bokovoy, abokovoy@redhat.com
wrote:
On Пан, 31 ліп 2023, Sameer Gurung via FreeIPA-users wrote:
On Sun, Jul 30, 2023 at 10:20 PM Ronald Wimmer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
The referenced thread is about merging local and IPA groups. Not explicitly about the direction.
Cheers, Ronald
I dont quite follow. I have added a docker group to freeipa with the --external option. Then added my AD user to this group.. this works
fine.
However at the client group merging does not take place. the AD user is
not
added to the local docker group of the client
You are using it wrong way.
'external' group in IPA is not a POSIX group. It is supposed to be included into a POSIX group and then SSSD on the client system will pull all external references from 'external' group when building up a membership of the POSIX group. That's why the documentation talks about two-group buildup:
- create an 'external' group and add AD objects as members of it
- create a POSIX group and add the 'external' group as a member
Group merging feature in glibc works only for POSIX groups because these are the only groups that exist in POSIX environment where glibc operates. Unless an AD user is pulled into the POSIX group, the group cannot see the AD user as a member.
So you should create a 'docker-external' 'external' group and add users there. Then create a 'docker' group in IPA and add 'docker-external' group as a member there. Then, upon login to a system governed by SSSD this 'docker' group membership will be filled in by SSSD for the AD user and glibc will handle group merging on top of that.
I thought this had solved my problem but after the recent update to freeipa, group merging no longer works.
- New AD users added to the docker-external group are not added to the
local machines docker group.
- AD users that were already in the docker-external group and were added
to the local machines docker group no longer have permission to run
docker.
Running the id command to check user details shows them to be member of
the
docker group but the id of the docker group is the id of the freeipa
docker
posix group.
Since user/group data properly comes from IPA, you need to check your client system configuration. Group merging is a feature of glibc and is driven by the configuration in /etc/nsswitch.conf.
I thought adding the initgroup:sss [SUCCESS=merge] files in nsswitch.conf
would suffice this is the contents of the file in the clients
# # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file.
passwd: files systemd sss group: files systemd sss shadow: files sss gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files
protocols: db files services: db files sss ethers: db files rpc: db files
netgroup: nis sss sudoers: files sss automount: sss
initgroups:sss [SUCCESS=merge] files
On Пят, 11 жні 2023, Sameer Gurung wrote:
On Wed, Aug 9, 2023 at 7:44 PM Alexander Bokovoy abokovoy@redhat.com wrote:
On Срд, 09 жні 2023, Sameer Gurung wrote:
On Mon, 31 Jul, 2023, 12:53 Alexander Bokovoy, abokovoy@redhat.com
wrote:
On Пан, 31 ліп 2023, Sameer Gurung via FreeIPA-users wrote:
On Sun, Jul 30, 2023 at 10:20 PM Ronald Wimmer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
The referenced thread is about merging local and IPA groups. Not explicitly about the direction.
Cheers, Ronald
I dont quite follow. I have added a docker group to freeipa with the --external option. Then added my AD user to this group.. this works
fine.
However at the client group merging does not take place. the AD user is
not
added to the local docker group of the client
You are using it wrong way.
'external' group in IPA is not a POSIX group. It is supposed to be included into a POSIX group and then SSSD on the client system will pull all external references from 'external' group when building up a membership of the POSIX group. That's why the documentation talks about two-group buildup:
- create an 'external' group and add AD objects as members of it
- create a POSIX group and add the 'external' group as a member
Group merging feature in glibc works only for POSIX groups because these are the only groups that exist in POSIX environment where glibc operates. Unless an AD user is pulled into the POSIX group, the group cannot see the AD user as a member.
So you should create a 'docker-external' 'external' group and add users there. Then create a 'docker' group in IPA and add 'docker-external' group as a member there. Then, upon login to a system governed by SSSD this 'docker' group membership will be filled in by SSSD for the AD user and glibc will handle group merging on top of that.
I thought this had solved my problem but after the recent update to freeipa, group merging no longer works.
- New AD users added to the docker-external group are not added to the
local machines docker group.
- AD users that were already in the docker-external group and were added
to the local machines docker group no longer have permission to run
docker.
Running the id command to check user details shows them to be member of
the
docker group but the id of the docker group is the id of the freeipa
docker
posix group.
Since user/group data properly comes from IPA, you need to check your client system configuration. Group merging is a feature of glibc and is driven by the configuration in /etc/nsswitch.conf.
I thought adding the initgroup:sss [SUCCESS=merge] files in nsswitch.conf
would suffice this is the contents of the file in the clients
# # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file.
passwd: files systemd sss group: files systemd sss shadow: files sss gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files
protocols: db files services: db files sss ethers: db files rpc: db files
netgroup: nis sss sudoers: files sss automount: sss
initgroups:sss [SUCCESS=merge] files
Did you try the other order? E.g.
'files [SUCCESS=merge] sss'
See https://sourceware.org/glibc/wiki/Proposals/GroupMerging for details. Upstream commit is https://sourceware.org/git/?p=glibc.git;a=commit;h=ced8f8933673f4efda1d666d2...
Since merge is driven by the group found in the first database by adding members of the same group found in the second database, I think files should be first, sss should be second.
Other than that, you haven't told us anything about your system details, though. As I said, this is outside of control of IPA because the actual group merging happens by the glibc.
So, start with explaining more details about your system: - what distribution is it and what versions of installed packages (ipa/freeipa packages, SSSD packages, glibc, etc)
- what exactly happens
- what was updated
freeipa-users@lists.fedorahosted.org