On Wed, Aug 9, 2023 at 7:44 PM Alexander Bokovoy <aboko...@redhat.com> wrote:
> On Срд, 09 жні 2023, Sameer Gurung wrote: > >On Mon, 31 Jul, 2023, 12:53 Alexander Bokovoy, <aboko...@redhat.com> > wrote: > > > >> On Пан, 31 ліп 2023, Sameer Gurung via FreeIPA-users wrote: > >> >On Sun, Jul 30, 2023 at 10:20 PM Ronald Wimmer via FreeIPA-users < > >> >freeipa-users@lists.fedorahosted.org> wrote: > >> > > >> >> The referenced thread is about merging local and IPA groups. Not > >> >> explicitly about the direction. > >> >> > >> >> Cheers, > >> >> Ronald > >> >> > >> >I dont quite follow. I have added a docker group to freeipa with the > >> >--external option. Then added my AD user to this group.. this works > fine. > >> >However at the client group merging does not take place. the AD user is > >> not > >> >added to the local docker group of the client > >> > >> You are using it wrong way. > >> > >> 'external' group in IPA is not a POSIX group. It is supposed to be > >> included into a POSIX group and then SSSD on the client system will pull > >> all external references from 'external' group when building up a > >> membership of the POSIX group. That's why the documentation talks about > >> two-group buildup: > >> > >> - create an 'external' group and add AD objects as members of it > >> - create a POSIX group and add the 'external' group as a member > >> > >> Group merging feature in glibc works only for POSIX groups because these > >> are the only groups that exist in POSIX environment where glibc > >> operates. Unless an AD user is pulled into the POSIX group, the group > >> cannot see the AD user as a member. > >> > >> So you should create a 'docker-external' 'external' group and add users > >> there. Then create a 'docker' group in IPA and add 'docker-external' > >> group as a member there. Then, upon login to a system governed by SSSD > >> this 'docker' group membership will be filled in by SSSD for the AD user > >> and glibc will handle group merging on top of that. > >> > >I thought this had solved my problem but after the recent update to > >freeipa, group merging no longer works. > > > >1. New AD users added to the docker-external group are not added to the > >local machines docker group. > > > >2. AD users that were already in the docker-external group and were added > >to the local machines docker group no longer have permission to run > docker. > >Running the id command to check user details shows them to be member of > the > >docker group but the id of the docker group is the id of the freeipa > docker > >posix group. > > Since user/group data properly comes from IPA, you need to check your > client system configuration. Group merging is a feature of glibc and is > driven by the configuration in /etc/nsswitch.conf. > > > I thought adding the initgroup:sss [SUCCESS=merge] files in nsswitch.conf would suffice this is the contents of the file in the clients # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files systemd sss group: files systemd sss shadow: files sss gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss sudoers: files sss automount: sss initgroups:sss [SUCCESS=merge] files -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > > -- This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Saint Mary's College, Shillong, Meghalaya, India-793003, smcs.ac.in <http://smcs.ac.in>
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
