On Mon, 31 Jul, 2023, 12:53 Alexander Bokovoy, <aboko...@redhat.com> wrote:
> On Пан, 31 ліп 2023, Sameer Gurung via FreeIPA-users wrote: > >On Sun, Jul 30, 2023 at 10:20 PM Ronald Wimmer via FreeIPA-users < > >freeipa-users@lists.fedorahosted.org> wrote: > > > >> The referenced thread is about merging local and IPA groups. Not > >> explicitly about the direction. > >> > >> Cheers, > >> Ronald > >> > >I dont quite follow. I have added a docker group to freeipa with the > >--external option. Then added my AD user to this group.. this works fine. > >However at the client group merging does not take place. the AD user is > not > >added to the local docker group of the client > > You are using it wrong way. > > 'external' group in IPA is not a POSIX group. It is supposed to be > included into a POSIX group and then SSSD on the client system will pull > all external references from 'external' group when building up a > membership of the POSIX group. That's why the documentation talks about > two-group buildup: > > - create an 'external' group and add AD objects as members of it > - create a POSIX group and add the 'external' group as a member > > Group merging feature in glibc works only for POSIX groups because these > are the only groups that exist in POSIX environment where glibc > operates. Unless an AD user is pulled into the POSIX group, the group > cannot see the AD user as a member. > > So you should create a 'docker-external' 'external' group and add users > there. Then create a 'docker' group in IPA and add 'docker-external' > group as a member there. Then, upon login to a system governed by SSSD > this 'docker' group membership will be filled in by SSSD for the AD user > and glibc will handle group merging on top of that. > I thought this had solved my problem but after the recent update to freeipa, group merging no longer works. 1. New AD users added to the docker-external group are not added to the local machines docker group. 2. AD users that were already in the docker-external group and were added to the local machines docker group no longer have permission to run docker. Running the id command to check user details shows them to be member of the docker group but the id of the docker group is the id of the freeipa docker posix group. > > > >> > >> On 30.07.23 17:54, Sameer Gurung via FreeIPA-users wrote: > >> > I have followed the link you sent and managed to add users to the > local > >> > docker group when the users are in FreeIPA. However in my case they > are > >> > AD users logging in to linux clients through the IPA AD trust > >> > > >> > *Sameer Kr. Gurung* > >> > > >> > On Sun, Jul 30, 2023 at 6:07 PM Ronald Wimmer via FreeIPA-users > >> > <freeipa-users@lists.fedorahosted.org > >> > <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > >> > > >> > Have a look at > >> > > >> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/WR7JQOMWCEXNABNSZGFF2FYN6ENEHEIB/#BBVO35ZP4YFI7C27NASZLYWRWDFY6DRH > >> < > >> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/WR7JQOMWCEXNABNSZGFF2FYN6ENEHEIB/#BBVO35ZP4YFI7C27NASZLYWRWDFY6DRH > >> > > >> > > >> > > >> > Am 30. Juli 2023 11:17:37 MESZ schrieb Sameer Gurung via > >> > FreeIPA-users <freeipa-users@lists.fedorahosted.org > >> > <mailto:freeipa-users@lists.fedorahosted.org>>: > >> > > >> > I have integrated freeipa with AD via a two way trust. > However I > >> > now have a problem > >> > > >> > How do I add my AD users logging in to linux clients to the > >> > local machines > >> > docker group so that they can run docker. > >> > Any help would be appreciated. > >> > Thanks everyone! > >> > > >> > Sameer K Gurung > >> > > >> > > >> > This message contains confidential information and is intended > >> > only for the individual named. If you are not the named > >> > addressee you should not disseminate, distribute or copy this > >> > e-mail. Please notify the sender immediately by e-mail if you > >> > have received this e-mail by mistake and delete this e-mail > from > >> > your system. E-mail transmission cannot be guaranteed to be > >> > secure or error-free as information could be intercepted, > >> > corrupted, lost, destroyed, arrive late or incomplete, or > >> > contain viruses. The sender therefore does not accept > liability > >> > for any errors or omissions in the contents of this message, > >> > which arise as a result of e-mail transmission. If > verification > >> > is required please request a hard-copy version. > >> > Saint Mary's College, Shillong, Meghalaya, India-793003, > >> > smcs.ac.in <http://smcs.ac.in> > >> > > >> > _______________________________________________ > >> > FreeIPA-users mailing list -- > freeipa-users@lists.fedorahosted.org > >> > <mailto:freeipa-users@lists.fedorahosted.org> > >> > To unsubscribe send an email to > >> > freeipa-users-le...@lists.fedorahosted.org > >> > <mailto:freeipa-users-le...@lists.fedorahosted.org> > >> > Fedora Code of Conduct: > >> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >> > <https://docs.fedoraproject.org/en-US/project/code-of-conduct/> > >> > List Guidelines: > >> > https://fedoraproject.org/wiki/Mailing_list_guidelines > >> > <https://fedoraproject.org/wiki/Mailing_list_guidelines> > >> > List Archives: > >> > > >> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > >> < > >> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > >> > > >> > Do not reply to spam, report it: > >> > https://pagure.io/fedora-infrastructure/new_issue > >> > <https://pagure.io/fedora-infrastructure/new_issue> > >> > > >> > > >> > This message contains confidential information and is intended only > for > >> > the individual named. If you are not the named addressee you should > not > >> > disseminate, distribute or copy this e-mail. Please notify the sender > >> > immediately by e-mail if you have received this e-mail by mistake and > >> > delete this e-mail from your system. E-mail transmission cannot be > >> > guaranteed to be secure or error-free as information could be > >> > intercepted, corrupted, lost, destroyed, arrive late or incomplete, or > >> > contain viruses. The sender therefore does not accept liability for > any > >> > errors or omissions in the contents of this message, which arise as a > >> > result of e-mail transmission. If verification is required please > >> > request a hard-copy version. > >> > Saint Mary's College, Shillong, Meghalaya, India-793003, > >> > smcs.ac.in <http://smcs.ac.in> > >> > > >> > _______________________________________________ > >> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > >> > To unsubscribe send an email to > >> freeipa-users-le...@lists.fedorahosted.org > >> > Fedora Code of Conduct: > >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >> > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > >> > List Archives: > >> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > >> > Do not reply to spam, report it: > >> https://pagure.io/fedora-infrastructure/new_issue > >> > >> -- > >> Ronald Wimmer > >> Zachgasse 12/Haus 7 > >> 1220 Wien > >> Tel: +43 680 149 37 99 > >> _______________________________________________ > >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > >> To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > >> Fedora Code of Conduct: > >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >> List Archives: > >> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > >> Do not reply to spam, report it: > >> https://pagure.io/fedora-infrastructure/new_issue > >> > > > >-- > >This message contains confidential information and is intended only for > the > >individual named. If you are not the named addressee you should not > >disseminate, distribute or copy this e-mail. Please notify the sender > >immediately by e-mail if you have received this e-mail by mistake and > >delete this e-mail from your system. E-mail transmission cannot be > >guaranteed to be secure or error-free as information could be intercepted, > >corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. > >The sender therefore does not accept liability for any errors or omissions > >in the contents of this message, which arise as a result of e-mail > >transmission. If verification is required please request a hard-copy > >version. Saint Mary's College, Shillong, Meghalaya, India-793003, > >smcs.ac.in <http://smcs.ac.in> > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > > -- This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Saint Mary's College, Shillong, Meghalaya, India-793003, smcs.ac.in <http://smcs.ac.in>
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue