HI actually i have added Domain Admins and the user ben is not part of Domain Admins. But when i login to client machine, i am getting below
-sh-4.2$ id uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(b...@kwttestdc.com.kw) groups=1827801104(b...@kwttestdc.com.kw),1827800513(*domain us...@kwttestdc.com.kw <us...@kwttestdc.com.kw>*),1827801105(sudo adm...@kwttestdc.com.kw) On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George <bentech4...@gmail.com> wrote: > HI > > while explaning here it went wrong. actually i did is" > Added external group to POSIX group" > > On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > >> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: >> > HI, >> > >> > "The other is that the groups might not show up on the client (do >> they?)" >> >> id $user. >> >> But I think Alexander noticed the root cause. >> >> > >> > how can i check that. >> > >> > Thanks >> > Ben >> > >> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhro...@redhat.com> >> wrote: >> > >> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: >> > > > Hi List, >> > > > >> > > > I have working setup of one AD, one IPA server and one client >> server. by >> > > > default i can login to client server by using AD username. >> > > > >> > > > i want to apply HBAC rules against this client server. For that i >> have >> > > done >> > > > below steps. >> > > > >> > > > 1. created External group in IPA erver >> > > > 2. created local POSIX group n IPA server >> > > > 3. Added AD group to external group >> > > > 4. added POSIX group to external group. >> > > > >> > > > After that have created HBAC rule by adding both local and >> external IPA >> > > > groups, added sshd as service and selected service group as sudo. >> > > > >> > > > i have applied this HBAC rule to client server and from web UI and >> while >> > > > testing HBAC from web, i am getting access denied . >> > > >> > > Sorry, not enough info. >> > > >> > > One guess would be that you need to add the "sudo-i" service as well. >> > > The other is that the groups might not show up on the client (do >> they?) >> > > >> > > Anyway, it might be good idea to follow >> > > https://fedorahosted.org/sssd/wiki/Troubleshooting >> > > >> > > -- >> > > Manage your subscription for the Freeipa-users mailing list: >> > > https://www.redhat.com/mailman/listinfo/freeipa-users >> > > Go to http://freeipa.org for more info on the project >> > > >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project