HI If i disable allow_all <https://freeipa.idm.local/ipa/ui/#allow_all> rule, i cannot able to login to client machine.
On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George <bentech4...@gmail.com> wrote: > HI > > actually i have added Domain Admins and the user ben is not part of Domain > Admins. But when i login to client machine, i am getting below > > -sh-4.2$ id > uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(b...@kwttestdc.com.kw) > groups=1827801104(b...@kwttestdc.com.kw),1827800513(*domain > us...@kwttestdc.com.kw <us...@kwttestdc.com.kw>*),1827801105(sudo > adm...@kwttestdc.com.kw) > > > > On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George <bentech4...@gmail.com> > wrote: > >> HI >> >> while explaning here it went wrong. actually i did is" >> Added external group to POSIX group" >> >> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek <jhro...@redhat.com> wrote: >> >>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: >>> > HI, >>> > >>> > "The other is that the groups might not show up on the client (do >>> they?)" >>> >>> id $user. >>> >>> But I think Alexander noticed the root cause. >>> >>> > >>> > how can i check that. >>> > >>> > Thanks >>> > Ben >>> > >>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhro...@redhat.com> >>> wrote: >>> > >>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: >>> > > > Hi List, >>> > > > >>> > > > I have working setup of one AD, one IPA server and one client >>> server. by >>> > > > default i can login to client server by using AD username. >>> > > > >>> > > > i want to apply HBAC rules against this client server. For that i >>> have >>> > > done >>> > > > below steps. >>> > > > >>> > > > 1. created External group in IPA erver >>> > > > 2. created local POSIX group n IPA server >>> > > > 3. Added AD group to external group >>> > > > 4. added POSIX group to external group. >>> > > > >>> > > > After that have created HBAC rule by adding both local and >>> external IPA >>> > > > groups, added sshd as service and selected service group as sudo. >>> > > > >>> > > > i have applied this HBAC rule to client server and from web UI and >>> while >>> > > > testing HBAC from web, i am getting access denied . >>> > > >>> > > Sorry, not enough info. >>> > > >>> > > One guess would be that you need to add the "sudo-i" service as well. >>> > > The other is that the groups might not show up on the client (do >>> they?) >>> > > >>> > > Anyway, it might be good idea to follow >>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting >>> > > >>> > > -- >>> > > Manage your subscription for the Freeipa-users mailing list: >>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>> > > Go to http://freeipa.org for more info on the project >>> > > >>> >> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project