On Fri, Jan 22, 2016 at 09:27:40AM +0000, Birnbaum, Warren (ETW) wrote: > Hi. > > I have a been successful using Freeipa 4.1 configuring active directory users > and with sudo. The problem I am having is that the HBAC rules are not > applying to my active directory users. They have access to all systems even > if I disable my Allow_ALL rule. Is there something special I should be doing > to domain?
Normally HBAC for AD users should be done through an external group you add the AD users or groups to, then add the external group to a regular IPA group and reference this IPA group from HBAC rules. There have been bugs related to external groups resolution, so please update to the latest IPA and SSSD packages also. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
