On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: > Hi List, > > I have working setup of one AD, one IPA server and one client server. by > default i can login to client server by using AD username. > > i want to apply HBAC rules against this client server. For that i have done > below steps. > > 1. created External group in IPA erver > 2. created local POSIX group n IPA server > 3. Added AD group to external group > 4. added POSIX group to external group. > > After that have created HBAC rule by adding both local and external IPA > groups, added sshd as service and selected service group as sudo. > > i have applied this HBAC rule to client server and from web UI and while > testing HBAC from web, i am getting access denied .
Sorry, not enough info. One guess would be that you need to add the "sudo-i" service as well. The other is that the groups might not show up on the client (do they?) Anyway, it might be good idea to follow https://fedorahosted.org/sssd/wiki/Troubleshooting -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project