HI while explaning here it went wrong. actually i did is" Added external group to POSIX group"
On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: > > HI, > > > > "The other is that the groups might not show up on the client (do they?)" > > id $user. > > But I think Alexander noticed the root cause. > > > > > how can i check that. > > > > Thanks > > Ben > > > > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhro...@redhat.com> > wrote: > > > > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: > > > > Hi List, > > > > > > > > I have working setup of one AD, one IPA server and one client > server. by > > > > default i can login to client server by using AD username. > > > > > > > > i want to apply HBAC rules against this client server. For that i > have > > > done > > > > below steps. > > > > > > > > 1. created External group in IPA erver > > > > 2. created local POSIX group n IPA server > > > > 3. Added AD group to external group > > > > 4. added POSIX group to external group. > > > > > > > > After that have created HBAC rule by adding both local and external > IPA > > > > groups, added sshd as service and selected service group as sudo. > > > > > > > > i have applied this HBAC rule to client server and from web UI and > while > > > > testing HBAC from web, i am getting access denied . > > > > > > Sorry, not enough info. > > > > > > One guess would be that you need to add the "sudo-i" service as well. > > > The other is that the groups might not show up on the client (do they?) > > > > > > Anyway, it might be good idea to follow > > > https://fedorahosted.org/sssd/wiki/Troubleshooting > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project