On Пят, 11 жні 2023, Sameer Gurung wrote:
On Wed, Aug 9, 2023 at 7:44 PM Alexander Bokovoy <aboko...@redhat.com>
wrote:
On Срд, 09 жні 2023, Sameer Gurung wrote:
>On Mon, 31 Jul, 2023, 12:53 Alexander Bokovoy, <aboko...@redhat.com>
wrote:
>
>> On Пан, 31 ліп 2023, Sameer Gurung via FreeIPA-users wrote:
>> >On Sun, Jul 30, 2023 at 10:20 PM Ronald Wimmer via FreeIPA-users <
>> >freeipa-users@lists.fedorahosted.org> wrote:
>> >
>> >> The referenced thread is about merging local and IPA groups. Not
>> >> explicitly about the direction.
>> >>
>> >> Cheers,
>> >> Ronald
>> >>
>> >I dont quite follow. I have added a docker group to freeipa with the
>> >--external option. Then added my AD user to this group.. this works
fine.
>> >However at the client group merging does not take place. the AD user is
>> not
>> >added to the local docker group of the client
>>
>> You are using it wrong way.
>>
>> 'external' group in IPA is not a POSIX group. It is supposed to be
>> included into a POSIX group and then SSSD on the client system will pull
>> all external references from 'external' group when building up a
>> membership of the POSIX group. That's why the documentation talks about
>> two-group buildup:
>>
>> - create an 'external' group and add AD objects as members of it
>> - create a POSIX group and add the 'external' group as a member
>>
>> Group merging feature in glibc works only for POSIX groups because these
>> are the only groups that exist in POSIX environment where glibc
>> operates. Unless an AD user is pulled into the POSIX group, the group
>> cannot see the AD user as a member.
>>
>> So you should create a 'docker-external' 'external' group and add users
>> there. Then create a 'docker' group in IPA and add 'docker-external'
>> group as a member there. Then, upon login to a system governed by SSSD
>> this 'docker' group membership will be filled in by SSSD for the AD user
>> and glibc will handle group merging on top of that.
>>
>I thought this had solved my problem but after the recent update to
>freeipa, group merging no longer works.
>
>1. New AD users added to the docker-external group are not added to the
>local machines docker group.
>
>2. AD users that were already in the docker-external group and were added
>to the local machines docker group no longer have permission to run
docker.
>Running the id command to check user details shows them to be member of
the
>docker group but the id of the docker group is the id of the freeipa
docker
>posix group.
Since user/group data properly comes from IPA, you need to check your
client system configuration. Group merging is a feature of glibc and is
driven by the configuration in /etc/nsswitch.conf.
I thought adding the initgroup:sss [SUCCESS=merge] files in nsswitch.conf
would suffice
this is the contents of the file in the clients
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd sss
group: files systemd sss
shadow: files sss
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
automount: sss
initgroups:sss [SUCCESS=merge] files
Did you try the other order? E.g.
'files [SUCCESS=merge] sss'
See https://sourceware.org/glibc/wiki/Proposals/GroupMerging for
details. Upstream commit is
https://sourceware.org/git/?p=glibc.git;a=commit;h=ced8f8933673f4efda1d666d26a1a949602035ed
Since merge is driven by the group found in the first database by adding
members of the same group found in the second database, I think files
should be first, sss should be second.
Other than that, you haven't told us anything about your system details,
though. As I said, this is outside of control of IPA because the actual
group merging happens by the glibc.
So, start with explaining more details about your system:
- what distribution is it and what versions of installed packages
(ipa/freeipa packages, SSSD packages, glibc, etc)
- what exactly happens
- what was updated
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
