On (14/05/15 15:53), Andy Thompson wrote: >> -----Original Message----- >> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- >> boun...@redhat.com] On Behalf Of Jakub Hrozek >> Sent: Thursday, May 14, 2015 11:46 AM >> To: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] trusted user groups >> >> On Thu, May 14, 2015 at 03:33:28PM +0000, Andy Thompson wrote: >> > I've noticed that trusted users supplementary ad groups don't show up >> until after the users login to the box at least once. >> >> That's expected with the versions you're running. Prior to 6.7, we could only >> read the trusted users' group membership from the PAC blob attached to >> the Kerberos ticket. >> >> >> > Is there a chance that information will be dropped again at any point going >> forward? >> >> No, otherwise it's a bug. >> >> > >> > The reason I ask is that on our sftp boxes we chroot users based on >> > group membership. I set that up as an external group in freeIPA and >> > the first time the user logs in to the sftp box, they are dropped in >> > their normal home directory as opposed to the chroot environment. If >> > there is a chance the group membership will not show up correctly >> > again in the future, I'm inclined to change the chroot stanzas to match on >> user as opposed to group. >> > >> > Is that by design? >> >> If you can't see the correct group memberships after a login, then something >> is fishy. However, we're rebasing to sssd 1.12.x in 6.7 and there's so many >> fixes and enhancements in this area..is there a chance you could try out 6.7 >> beta or some custom packages? >> > >Group memberships show up fine after the first login so it is working as >expected then. The accounts are very controlled so it shouldn't be a huge >sticking point. I could try out some custom packages on this box but I can't >move to 6.7 until we upgrade the entire environment. > Here you are https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12-latest/
LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project